Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Vulnerabilities

Microsoft has released its September 2024 Patch Tuesday updates, addressing a total of 79 security vulnerabilities in its software products. Among these, three critical flaws affecting the Windows platform are currently under active exploitation by malicious actors. The update includes fixes for seven Critical, 71 Important, and one Moderate severity vulnerabilities. Additionally, Microsoft resolved 26 flaws in its Chromium-based Edge browser since the last Patch Tuesday release.

Actively Exploited Vulnerabilities

The three vulnerabilities under active exploitation are:

1. CVE-2024-38014 (CVSS score: 7.8) – Windows Installer Elevation of Privilege Vulnerability
   This vulnerability allows attackers to gain elevated privileges on a system, potentially granting them administrative access.
2. CVE-2024-38217 (CVSS score: 5.4) – Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
   Exploitation can lead to bypassing security features that block Microsoft Office macros from running, by convincing a user to open a specially crafted file from an attacker-controlled server.
3. CVE-2024-38226 (CVSS score: 7.3) – Microsoft Publisher Security Feature Bypass Vulnerability
   Similar to CVE-2024-38217, but requires the attacker to be authenticated and have local access to exploit.

Microsoft is also treating another vulnerability as exploited:

4. CVE-2024-43491 (CVSS score: 9.8) – Microsoft Windows Update Remote Code Execution Vulnerability
   This critical flaw could allow attackers to execute arbitrary code on affected systems via Windows Update mechanisms.

Expert Insights

Satnam Narang, senior staff research engineer at Tenable, highlighted the risks:

“Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running. In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226.”

Details on Specific Vulnerabilities

CVE-2024-38217 (LNK Stomping)

• Background: Known as LNK Stomping, this vulnerability has been exploited in the wild since at least February 2018.
• Mechanism: Attackers manipulate shortcut files to bypass security features, allowing malicious code execution.
• Disclosure: Elastic Security Labs detailed this vulnerability last month, emphasizing its active exploitation.

CVE-2024-43491

• Similarity to Previous Attacks: This vulnerability is similar to a downgrade attack detailed by SafeBreach in August 2024.
• Microsoft’s Acknowledgment: The company stated:

“Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024.”

Remediation Steps

To address CVE-2024-43491, Microsoft advises:

1. Install the September 2024 Servicing Stack Update (SSU KB5043936).
2. Then install the September 2024 Windows security update (KB5043083).

Note: The SSU must be installed before the security update to ensure proper patching.

Clarifications on Exploitation

• Microsoft clarified that while the “Exploitation Detected” assessment applies to CVE-2024-43491, it stems from the rollback of previous fixes, not from active exploitation of CVE-2024-43491 itself.
• The company emphasized:

“No exploitation of CVE-2024-43491 itself has been detected. In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known.”

Additional Vulnerabilities and Updates

CVE-2024-43461

• Update on Active Exploitation: Microsoft updated the advisory for CVE-2024-43461 to indicate active exploitation by a threat actor known as Void Banshee.
• Nature of the Vulnerability: An MSHTML platform spoofing vulnerability, similar to CVE-2024-38112.
• Impact: Used to deliver the Atlantida stealer malware.
• Microsoft’s Statement:

“CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024. We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain.”

CVE-2024-38014

• Description: A privilege escalation flaw in the Windows Installer component.
• Potential Impact: Allows attackers to gain SYSTEM privileges.
• Researcher’s Insight: Michael Baer from SEC Consult explained:

“The MSI file format allows to create standardized installers that can install, remove, and repair software. While the installation and removal of software usually requires elevated permissions, the repair function for already installed software can be performed by a low-privileged user. The issued repair functions can, however, be executed under the context of NT AUTHORITY\SYSTEM, a very high access right in Windows. If an attacker is able to maliciously interfere with those functions, a privilege escalation attack is possible.”

• Exploitation Caveats:
• Requires GUI access.
• Needs a supported browser (Google Chrome or Mozilla Firefox).
• Does not work on recent versions of Microsoft Edge.

Software Patches from Other Vendors

In addition to Microsoft’s updates, several other vendors released security patches to address vulnerabilities:

• Adobe
• Arm
• Bosch
• Broadcom (including VMware)
• Cisco
• Citrix
• CODESYS
• D-Link
• Dell
• Drupal
• F5
• Fortinet
• Fortra
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Google Wear OS
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networks)
• IBM
• Intel
• Ivanti
• Lenovo
• Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• MongoDB
• Mozilla Firefox, Firefox ESR, Focus and Thunderbird
• NVIDIA
• ownCloud
• Palo Alto Networks
• Progress Software
• QNAP
• Qualcomm
• Rockwell Automation
• Samsung
• SAP
• Schneider Electric
• Siemens
• SolarWinds
• SonicWall
• Spring Framework
• Synology
• Veeam
• Zimbra
• Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP
• Zoom, and
• Zyxel

Importance of Timely Updates

With multiple vulnerabilities under active exploitation, it’s crucial for users and organizations to:

• Apply Patches Immediately: Prioritize installing the latest security updates.
• Follow Vendor Instructions: Ensure updates are applied in the correct order, especially when multiple patches are required.
• Stay Informed: Monitor security advisories from Microsoft and other vendors.
• Implement Security Best Practices: Use antivirus software, firewalls, and educate users about phishing and social engineering attacks.

Conclusion

Microsoft’s September 2024 Patch Tuesday highlights the ever-evolving landscape of cybersecurity threats. The active exploitation of critical vulnerabilities underscores the importance of maintaining up-to-date systems and being vigilant against potential attacks. Organizations and individuals must take immediate action to protect their systems by applying the latest patches and following security best practices.

(This article was updated on September 16, 2024, to include information about the active exploitation of CVE-2024-43461.)

By providing detailed information on the vulnerabilities, their impacts, and remediation steps, this article aims to inform readers about the critical security updates released by Microsoft and the necessity of prompt action to safeguard systems against active threats.