Here’s what Microsoft fixed in September’s Patch Tuesday
Vulnerabilities released in Microsoft’s Patch Tuesday report include several zero-days impacting versions of several Windows products, including Windows Installer and Windows Updater software.
The tech giant’s Tuesday announcement includes 79 different vulnerabilities, with at least seven rated critical by Microsoft. Three of those vulnerabilities — CVE-2024-38014, CVE-2024-38217, CVE-2024-38226 — have been exploited in the wild.
The vulnerabilities impacting Windows Update and Installer — CVE-2024-43491 and CVE-2024-38014, respectively — could lead to attackers gaining complete access to systems.
The exploited Windows Update vulnerability allows hackers to remove patches and exploit older, previously mitigated vulnerabilities, however, the bug only impacts versions of Windows 10, which are end-of-life (EOL) products. To fix the bug, admins must install a September 2024 Servicing stack update (SSU KB5043936) and a Windows security update (KB5043083). Microsoft states they are unaware of any active exploitation of CVE-2024-43491, however, because it can undo previous fixes, it could be potentially used in an attack with several other exploits.
CVE-2024-38014, meanwhile, is another publicly exploited vulnerability in Windows Installer that allows a hacker to gain system privileges. Microsoft did not further explain how the bug is exploited, but credited Michael Baer with SEC Consult Vulnerability Lab for the discovery.
The Microsoft Office Publisher bug allows attackers to bypass Office macro policies used to block untrusted or malicious files. If an attacker has local privileges, a user can be tricked into downloading and opening a weaponized file that could lead to an attack. The bug impacts Microsoft Publisher 2016, Microsoft Office LTSC 2021, Office 2019, with both the 64-bit and 32-bit versions affected for all products.
Another actively exploited vulnerability, CVE-2024-38217, affects Microsoft’s “Mark of the Web” security feature, which labels files downloaded from the internet. If exploited, this vulnerability could compromise other security features linked to the mark, such as SmartScreen and Application Reputation.
The vulnerability has been publicly disclosed and is exploited in the wild, Microsoft noted. Cybersecurity firm Elastic Security Labs’ Joe Desimone discovered the bug.
CISA added four of the vulnerabilities to its Known Exploited Vulnerabilities (KEV) list.
You can read the full Patch Tuesday notes in Microsoft’s Security Resource Center.
