Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft on Tuesday stated that three new security issues hitting the Windows platform have come under active exploitation as part of its Patch Tuesday release for September 2024.

The monthly security release resolves a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is apart from 26 issues that the tech giant patched in its Chromium-based Edge browser since last month's Patch Tuesday release.

The three vulnerabilities that have been weaponized in a malevolent context are outlined below, plus a bug that Microsoft is treating as exploited -

CVE-2024-38014 (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability

CVE-2024-38217 (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability

CVE-2024-38226 (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability

CVE-2024-43491 (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement.

"In both circumstances, the victim has to be enticed to open a specially designed file from an attacker-controlled site. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226."

As revealed by Elastic Security Labs last month, CVE-2024-38217 – commonly known to as LNK Stomping – is claimed to have been exploited in the wild as far back as February 2018.

CVE-2024-43491, on the other hand, is significant for the reason that it's identical to the downgrade attack that cybersecurity startup SafeBreach reported early last month.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," Redmond wrote.

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024."

The Windows manufacturer further claimed issue may be fixed by applying the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that sequence.

It's also worth pointing out that Microsoft's "Exploitation Detected" assessment for CVE-2024-43491 derives from the rollback of updates that addressed vulnerabilities affecting specific Optional Components for Windows 10 (version 1507), some of which have been previously exploited.

"No exploitation of CVE-2024-43491 itself has been detected," the firm claimed. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."

Software Patches from Other Vendors#

In addition to Microsoft, security upgrades have also been published by other manufacturers over the previous several weeks to address many vulnerabilities, including —

Adobe

Arm

Bosch

Broadcom (including VMware)

Cisco

Citrix

CODESYS

D-Link

Dell

Drupal

F5

Fortinet

Fortra

GitLab

Google Android and Pixel

Google Chrome

Google Cloud

Google Wear OS

Hitachi Energy

HP

HP Enterprise (containing Aruba Networks)

IBM

Intel

Ivanti

Lenovo

Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu

MediaTek

Mitsubishi Electric

MongoDB

Mozilla Firefox, Firefox ESR, Focus and Thunderbird

NVIDIA

ownCloud

Palo Alto Networks

Progress Software

QNAP

Qualcomm

Rockwell Automation

Samsung

SAP

Schneider Electric

Siemens

SolarWinds

SonicWall

Spring Framework

Synology

Veeam

Zimbra

Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP

Zoom, and

Zyxel

Update#

Microsoft on Friday updated the warning for CVE-2024-43461 to indicate that the vulnerability has been actively exploited in the wild by a threat actor known as Void Banshee, bringing the count to four zero-day issues that were fixed by the firm this month.

The vulnerability, listed as CVE-2024-43461 (CVSS score: 8.8), has been classified as an MSHTML platform spoofing vulnerability similar to CVE-2024-38112, which was used by the threat actor to deploy Atlantida stealer malware.

"CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024," Microsoft wrote in the advisory. "We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain."

The revelation comes after SEC Consult published details of CVE-2024-38014, a privilege escalation problem in the Windows Installer component that might allow a hostile actor to obtain SYSTEM rights.

"The MSI file format allows to create standardized installers that can install, remove, and repair software," security researcher Michael Baer explained. "While the installation and removal of software normally needs elevated rights, the repair function for previously installed software may be done by a low-privileged user.

"The given repair functions may, however, be run in the context of NT AUTHORITY\SYSTEM, a very high access privilege in Windows. If an attacker is able to intentionally interfere with certain functions, a privilege escalation attack is feasible."

However, there are a few caveats: The exploit needs GUI access and a compatible browser, such as Google Chrome or Mozilla Firefox. It does not operate on latest versions of Microsoft's Edge browser.

(The article was amended after publication on September 16, 2024, to reflect the ongoing exploitation of CVE-2024-43461.)