Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws

Today is Microsoft's September 2024 Patch Tuesday, which includes security updates for 79 flaws, including four actively exploited and one publicly disclosed zero-days.

This Patch Tuesday fixed seven critical vulnerabilities, which were either remote code execution or elevation of privileges flaws.

The number of bugs in each vulnerability category is listed below:

• 30 Elevation of Privilege Vulnerabilities
• 4 Security Feature Bypass Vulnerabilities
• 23 Remote Code Execution Vulnerabilities
• 11 Information Disclosure Vulnerabilities
• 8 Denial of Service Vulnerabilities
• 3 Spoofing Vulnerabilities

Four zero-days disclosed

This month's Patch Tuesday fixes four actively exploited, one of which was publicly disclosed. 

Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no official fix is available.

The four actively exploited zero-day vulnerabilities in today's updates are:

CVE-2024-38014 - Windows Installer Elevation of Privilege Vulnerability

This vulnerability allows attacks to gain SYSTEM privileges on Windows systems.

Microsoft has not shared any details on how it was exploited in attacks.

The flaw was discovered by Michael Baer with SEC Consult Vulnerability Lab. 

CVE-2024-38217 - Windows Mark of the Web Security Feature Bypass Vulnerability

This flaw was publicly disclosed last month by Joe Desimone of Elastic Security and is believed to have been actively exploited since 2018.

In the report, Desimone outlined a technique called LNK stomping that allows specially crafted LNK files with non-standard target paths or internal structures to cause the file to be opened while bypassing Smart App Control and the Mark of the Web security warnings.

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt," explains Microsoft's advisory.

When exploited, it causes the command in the LNK file to be executed without a warning, as demonstrated in this video.

CVE-2024-38226 - Microsoft Publisher Security Feature Bypass Vulnerability

Microsoft fixed a Microsoft Publisher flaw that bypasses the security protections against embedded macros in downloaded documents.

"An attacker who successfully exploited this vulnerability could bypass Office macro policies used to block untrusted or malicious files," explains Microsoft's advisory.

Microsoft has not shared who disclosed the flaw and how it was exploited.

CVE-2024-43491 - Microsoft Windows Update Remote Code Execution Vulnerability

Microsoft fixed a servicing stack flaw that allows remote code execution.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," explains Microsoft's advisory.

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."

"This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order."

This flaw only impacts Windows 10, version 1507, which reached the end of life in 2017. However, it also impacts Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions, which are still under support.

This flaw is interesting because it caused Optional Components, such as Active Directory Lightweight Directory Services, XPS Viewer, Internet Explorer 11, LPD Print Service, IIS, and Windows Media Player to roll back to their original RTM versions.

This caused any previous CVE to be reintroduced into the program, which could then be exploited.

More details about the flaw and the complete list of affected components can found in Microsoft's advisory.

Microsoft has not shared who disclosed the flaw and how it was exploited.

Recent updates from other companies

Other vendors who released updates or advisories in September 2024 include:

• Apache fixes a critical OFBiz remote code execution vulnerability that was a bypass for previously fixed flaws.
• Cisco fixed multiple vulnerabilities this month, including a backdoor admin account in Smart Licensing Utility and a command injection vulnerability in ISE.
• Eucleak attack extracts ECDSA secret keys to clone YubiKey FIDO devices.
• Fortinet released security updates for flaws in Fortisandbox and FortiAnalyzer & FortiManager.
• Google backported a fix for an actively exploited Pixel elevation of privileges flaw to other Android devices.
• Ivanti releases security updates for critical vTM auth bypass with public exploit.
• LiteSpeed Cache plugin for Wordpress fixes an unauthenticated account takeover issue.
• A SonicWall access control flaw fixed last month is now exploited in ransomware attacks.
• Veeam fixes a critical RCE vulnerability in Backup & Replication software
• Zyxel warned of a critical OS command injection flaw in its routers.

The September 2024 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the September 2024 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.