Microsoft Patch Tuesday: Four Zero-Day Bugs Squashed
There were 79 vulnerabilities patched in September.
Microsoft has resolved a total of 79 vulnerabilities in this month's Patch Tuesday update, including seven critical bugs and four zero days, one of which has been publicly disclosed.
The four zero days are:
CVE-2024-43491 (CVSS severity score 9.8 out of 10) a critical Windows Update Remote Code Execution (RCE) vulnerability marked as "exploitation detected"
CVE-2024-38014 (CVSS 7.8) a Windows Installer Elevation of Privilege (EoP) vulnerability
CVE-2024-38217 (CVSS 5.4) a Mark of the Web (MoTW) security feature bypass bug
CVE-2024-38226 (CVSS 7.3), another security feature bypass bug, this one in Microsoft Publisher.
CVE-2024-43491 Windows Update
Kev Breen, senior director threat research at Immersive Labs said CVE-2024-43491 should be "top of the list for patches this month."
The vulnerability affects the Windows update system such that patches for some components were rolled back to a vulnerable state and will have remained in a vulnerable state since March 2024. Fortunately, only Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) is affected.
"Some of these components were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched," Breen said.
CVE-2024-38014 Windows Installer
The CVE-2024-38014 RCE bug in Windows Installer has been exploited in the wild, so should also be high on admins' to-do lists, said Ben McCarthy, lead cyber security engineer at Immersive Labs.
"When an attacker exploits it, they will gain full SYSTEM level privileges. As with many of the previous vulnerabilities that took advantage of the Windows Installer service, attackers will continue to use this vulnerability for the foreseeable future, therefore it is worth patching as soon as possible."
CVE-2024-38217 MoTW
CVE-2024-38217, a Windows Mark of the Web security bypass that has been publicly disclosed, could allow an attacker to manipulate the security warnings that typically inform users about the risks of opening files from unknown or untrusted sources.
"Similar MoTW bypasses have historically been linked to ransomware attacks, where the stakes are high," said Saeed Abbasi, manager of vulnerability research at Qualys Threat Research Unit. "Given the exploit's public disclosure and confirmed exploitation, it is a prime vector for cybercriminals to infiltrate corporate networks."
"CVE-2024-38217 is not only known to be exploited, but is also publicly disclosed via an extensive write-up , with exploit code also available on GitHub," noted Adam Barnett, lead software engineer at Rapid7.
CVE-2024-38226 Microsoft Publisher
The fourth zero day, CVE-2024-38226, occurs in Microsoft Publisher. "The vulnerability affects Microsoft Office 2019 and 2021 as well as Publisher 2016. Microsoft has rated the CVE as Important," said Chris Goettl, Vice President of Security Product Management, Ivanti.
Attackers often use security features to bypass vulnerabilities as part of a multi-step effort to breach defenses. In this case possibly bypassing warnings about the risk of enabling macros in documents, which is a defense against phishing.
Beside the four zero days, high-severity vulnerabilities affecting SharePoint, SQL Server, Azure Stack and Windows MSHTML Platform were also patched in this month's update.
This article originally appeared on our sister site, Computing.