Microsoft Patch Tuesday September 2024: Four Zero Days and More Patched

In the September 2024 Patch Tuesday update, Microsoft addressed a total of 79 security vulnerabilities, including four actively exploited zero-day vulnerabilities.

This month’s update also includes fixes for seven critical vulnerabilities, covering both remote code execution (RCE) and elevation of privilege flaws. The update is significant for system administrators and security teams, as it addresses critical vulnerabilities that could be exploited to gain unauthorized access, execute arbitrary code, or elevate system privileges.

Compared to previous months, the September 2024 Patch Tuesday update addresses a moderate number of vulnerabilities. However, the presence of four actively exploited zero-days and seven critical vulnerabilities makes this update particularly urgent.

Microsoft Patch Tuesday: Vulnerability breakdown

The vulnerabilities patched in this update fall into these categories:
- 30 elevation of privilege vulnerabilities
- 4 security feature bypass vulnerabilities
- 23 remote code execution vulnerabilities
- 11 information disclosure vulnerabilities
- 8 denial of service vulnerabilities
- 3 spoofing vulnerabilities

Zero-day patches:

Microsoft has patched four actively exploited zero-day vulnerabilities this month, one of which was publicly disclosed prior to the official fix.

CVE-2024-38014 is a Windows Installer Elevation of Privilege vulnerability that allows attackers to gain SYSTEM-level privileges on Windows systems. Although Microsoft has not provided specific details on how this flaw was exploited, it was discovered by Michael Baer from the SEC Consult Vulnerability Lab.

Why is this critical: Immediate patching is crucial to prevent attackers from gaining unauthorized access and full control over Windows systems.

CVE-2024-38217, is a Windows Mark of the Web (MOTW) Security Feature Bypass vulnerability, publicly disclosed by Joe Desimone from Elastic Security. This flaw, which has been exploited since 2018, involves a technique called LNK stomping, which allows specially crafted LNK files to bypass Smart App Control and MOTW security warnings.

Why is this critical: Exploiting this vulnerability can enable malicious files to be executed without triggering security alerts, making users susceptible to phishing attacks and unauthorized file execution.

CVE-2024-38226, a Microsoft Publisher Security Feature Bypass vulnerability allows attackers to bypass security protections that block embedded macros in downloaded documents. The ability to bypass Office macro policies puts organizations at risk, especially those that rely on strict macro security to prevent malicious code execution.

Why is this critical: Immediate patching is recommended to prevent attackers from exploiting this vulnerability to execute malicious macros and compromise sensitive data.

CVE-2024-43491, a Microsoft Windows Update Remote Code Execution vulnerability, affects older versions of Windows 10 (specifically version 1507 and Enterprise 2015 LTSB editions), involves a roll-back of previous security fixes related to Optional Components. Attackers could exploit this rollback to reintroduce previously mitigated vulnerabilities, potentially targeting components such as Active Directory Lightweight Directory Services, Internet Explorer 11, and Windows Media Player.

Why is this critical: Given its potential to undo previous patches, it is essential to install the September 2024 Servicing Stack Update (SSU) and the latest Windows security updates as soon as possible.

Critical vulnerabilities in September 2024 update

This month’s Patch Tuesday also addressed seven critical vulnerabilities, which are either remote code execution (RCE) or elevation of privilege flaws. Here are the details and the significant risks these vulnerabilities pose.

CVE-2024-43491 Windows Update Remote Code Execution Vulnerability: This vulnerability affects the Windows Update process, specifically impacting older versions like Windows 10 (1507, Enterprise 2015 LTSB). It allows attackers to exploit previously mitigated vulnerabilities in optional components. It has a CVSS score of 9.8 and is highly dangerous.

CVE-2024-38018 Microsoft SharePoint Server Remote Code Execution: An attacker with Site Member permissions could remotely execute arbitrary code on the SharePoint Server, which is widely used in business environments.

CVE-2024-43464 SharePoint Server Remote Code Execution: This flaw allows attackers with Site Owner permissions to inject arbitrary code, posing a significant threat to organizations using SharePoint.

CVE-2024-38119 Windows Network Address Translation (NAT) Remote Code Execution: Attackers must win a race condition to exploit this vulnerability, allowing them to remotely execute code within the NAT process.

CVE-2024-38216 & CVE-2024-38220 Azure Stack Hub Elevation of Privilege: Listed together because of the common nature, these vulnerabilities allow attackers to gain unauthorized access to Azure Stack systems, elevating privileges within the system.

CVE-2024-38194 Azure Web Apps Elevation of Privilege: This flaw allows attackers to elevate their privileges due to improper authorization within Azure Web Apps.

CVE-2024-38227 SharePoint Server Remote Code Execution: Another SharePoint-related vulnerability, this one allows an attacker with Site Owner permissions to execute arbitrary code remotely.

Hadrian’s Call:

While conceding the fact that alert-based patches are a thing of the past, organizations should prioritize patching these vulnerabilities to prevent data breaches, ransomware attacks, and other malicious activities.

Vulnerabilities such as those affecting Microsoft Publisher and Windows Mark of the Web, highlight a growing trend of attackers exploiting document and web-based flaws.

The actively exploited zero-day vulnerabilities and seven critical flaws present significant security risks, including SYSTEM-level access and remote code execution. Understanding these vulnerabilities and applying patches swiftly will reduce the risk of exploitation, data breaches, and system downtimes.

The complete list of the Microsoft Patch Tuesday September 2024 updates is here.

Most importantly, it’s time to move ahead from alert-based patches to automated vulnerability discovery and management. For streamlined patch management, Hadrian’s Secure Share enables collaboration between security and development teams, simplifying and accelerating vulnerability remediation.