Microsoft is fixing the five-day vulnerability and many other bugs
Yesterday was September 10, 2024, and you know what that means – it’s Patch Day, the second Tuesday of every month when Microsoft releases security updates for Windows.
At this time, 79 security vulnerabilities have been addressed, and all but one are classified as “high risk” or “high risk.” According to Microsoft, four vulnerabilities are already in use in the country, so make sure you update as soon as you can.
What versions of Windows are affected?
Most of the vulnerabilities — numbering 67 in total — are spread across different versions of Windows, including Windows 10, Windows 11, and Windows Server.
Windows 7 and 8.1 are no longer mentioned in security reports, so they may still be vulnerable. Unless you have a very good reason, you should consider switching to Windows 10 (22H2) or Windows 11 (23H2) to continue receiving security information. (Note that Windows 10 will end support in 2025, so Windows 11 is a better choice.)
Patch Day also includes Windows 11 24H2 updates, although the fall update is being tested with Insiders and is not yet publicly available.
That said, if you’re still running Windows 11 22H2, you should upgrade to Windows 11 23H2 as soon as possible. Otherwise you run the risk of a forced update, which can get in the way. (Windows 11 22H2 will receive its last security update on October 8, 2024.)
Zero-day Windows vulnerabilities are hidden
As mentioned, a few Windows security vulnerabilities are already being used in real-world attacks. (It is claimed that one of them, the spoofing issue CVE-2024-43461, is being exploited.)
Microsoft hasn’t provided much detail about these zero-day vulnerabilities in the security update guide, but Dustin Childs touches on them on the Zero Day Initiative blog. The children say that the spoofing exploit was discovered in the country and reported to Microsoft, but the vulnerability is not listed as a Microsoft attack.
Critical security vulnerabilities on Patch Day in September 2024
| CVE | vulnerable software | Obesity | Influence | abused | which are known beforehand |
|---|---|---|---|---|---|
| CVE-2024-43491 | Windows Update | criticize | RCE | must be | no |
| CVE-2024-38217 | Windows Mark of the Web | up | SFB | must be | must be |
| CVE-2024-38014 | Windows Installer | up | EoP | must be | no |
| CVE-2024-38226 | Office: Publisher | up | SFB | must be | no |
| CVE-2024-43461 | Windows MSHTML | up | Spoofing | quarrel * | no |
| CVE-2024-38119 | Windows NAT | criticize | RCE | no | no |
| CVE-2024-38018 | SharePoint server | criticize | RCE | no | no |
| CVE-2024-43464 | SharePoint server | criticize | RCE | no | no |
RCE: Remote Code Execution
EoP: Elevation of Privilege
SFB: Security Feature Bypass
Regarding the CVE-2024-38217 vulnerability, Microsoft says that the Vulnerability Security vulnerability is not only exploited but was publicly known beforehand. This affects the “Mark of the Web” (MotW) on downloaded files, making it possible to bypass protection.
Regarding vulnerability CVE-2024-43491, it is the only Remote Code Execution (RCE) issue among the four zero days. This only affects some older versions of Windows 10 and can only be eliminated by first installing update KB5043936, then update KB5043083. Microsoft says newer versions of Windows 10 are not affected.
Regarding vulnerability CVE-2024-38014, this Elevation of Privilege (EoP) threat exists in Windows Installer for all currently supported versions of Windows, including Server editions. An attacker exploiting this vulnerability could gain access to the system without user interaction. (The exact mechanism is unclear, but attackers often combine EoP vulnerabilities with RCE vulnerabilities to run malicious code.)
Some important Windows constraints
There are also several security vulnerabilities listed as critical, some of which affect Windows and have not yet been patched.
RCE vulnerability CVE-2024-38119 affects Network Address Translation (NAT) and requires the attacker to be on the same network. This is because NAT is usually not able to route systems, meaning it cannot be exploited at network boundaries.
Also, Windows Remote Desktop Services has seven vulnerabilities, including four RCE vulnerabilities. There is another RCE vulnerability in Microsoft Management Console (CVE-2024-38259) and Power Automate for desktop (CVE-2024-43479).
Weaknesses of Microsoft Office
On this page, Microsoft has addressed 11 vulnerabilities in its Office products, including a vulnerability in empty days and two other vulnerabilities that are classified as critical.
The Security Feature Bypass vulnerability CVE-2024-38226 was discovered by an unknown person in Microsoft Publisher and immediately exploited. For this, the attacker must convince the user to open a specially prepared file in the Publisher. If successful, macro instructions in Office are bypassed and malicious code is executed.
Microsoft ranks two RCE vulnerabilities in SharePoint Server (CVE-2024-38018, CVE-2024-43464) as critical. However, one RCE vulnerability (CVE-2024-38227) in SharePoint Server and another in Visio (CVE-2024-43463) are only considered serious.
SQL Server vulnerability
Microsoft has addressed 13 security vulnerabilities in SQL Server this month, six of which are RCE vulnerabilities with a CVSS score of 8.8. Microsoft has also closed three EoP vulnerabilities and four data breaches.
Internet browser updates
The latest security update for the Microsoft Edge browser is version 128.0.2739.63 from September 3, based on Chromium 128.0.6613.120. However, it has not yet appeared in the security update guide. (The release notes are also somewhat sparse and only appeared after a week.) The 128.0.2739.67 update to Edge on September 5 fixes only a few bugs.
However, Google has released a new security update for Chrome on September 10, which fixes a number of vulnerabilities that are classified as high risk. Microsoft has not responded to this.
This article appeared in our PC-WELT issue and was translated and translated from German.
#Microsoft #fixing #fiveday #vulnerability #bugs