In its September 2024 Patch Tuesday release, Microsoft has revealed a large security update addressing 79 vulnerabilities, including three actively exploited zero-day flaws. The tech giant also resolved 26 additional issues in its Edge browser, emphasizing the ongoing need for vigilance in the face of evolving cyber threats.
Critical Vulnerabilities Under Active Exploitation
Among the most pressing concerns are three vulnerabilities currently being exploited in the wild:
- CVE-2024-38014: A Windows Installer Elevation of Privilege Vulnerability (CVSS score: 7.8)
- CVE-2024-38217: A Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability (CVSS score: 5.4)
- CVE-2024-38226: A Microsoft Publisher Security Feature Bypass Vulnerability (CVSS score: 7.3)
Satnam Narang, senior staff research engineer at Tenable, highlighted the significance of CVE-2024-38226 and CVE-2024-38217, stating, “Exploitation of both… can lead to the bypass of important security features that block Microsoft Office macros from running.” He added that while both require a user to open a specially crafted file, CVE-2024-38226 necessitates authenticated local access for exploitation.
The LNK Stomping Technique
According to findings from Elastic Security Labs, CVE-2024-38217, also known as “LNK Stomping,” has reportedly been exploited since February 2018. This long-standing vulnerability underscores the persistent nature of some security threats and the importance of regular patching.
The Windows Update Vulnerability: CVE-2024-43491
Perhaps the most alarming discovery in this patch cycle is CVE-2024-43491, a Microsoft Windows Update Remote Code Execution Vulnerability with a critical CVSS score of 9.8. While Microsoft states that exploitation of this specific vulnerability has not been detected, it bears similarities to a downgrade attack recently detailed by cybersecurity firm SafeBreach.
The vulnerability affects the Servicing Stack, potentially rolling back fixes for previously mitigated vulnerabilities on Windows 10 version 1507 systems. Microsoft explained, “This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024.”
Mitigation and Resolution
To address CVE-2024-43491, Microsoft recommends a two-step process:
- Install the September 2024 Servicing stack update (SSU KB5043936)
- Apply the September 2024 Windows security update (KB5043083)
It’s crucial to follow this order to ensure proper mitigation of the vulnerability.
The September 2024 Patch Tuesday release underscores the constant cat-and-mouse game between software developers and malicious actors. With 79 vulnerabilities addressed—seven rated Critical, 71 Important, and one Moderate—organizations and individuals must prioritize timely patching and system updates.