Microsoft Fixes Four 0 Days – One Used for SIX YEARS
This month Redmond fixes 79 security flaws in Windows and other products.
As the clock ticks, it’s Patch Tuesday time again. What exciting treasures has Microsoft brought us for September? There are many bugs being exploited, including the critical CVSS 9.8 vuln.
The patch also includes CVE-2024-38217: The zero date that the scrotes have known about six years. In today’s SB Blogwatch, we put the Wayback Machine on Stun.
Your humble blog reader has prepared these bloggy features for your entertainment. Not to mention: Polaris.
Week B: The Bugs Are Out!
What is craic? Lawrence Abrams reports: Patch Tuesday fixes 4 zero days, 79 bugs
“It has been widely used since 2018”
This Patch Tuesday has listed seven critical vulnerabilities, which could be remote code execution or elevation of privilege vulnerabilities. … The four most actively used in modern developments are:
CVE-2024-38014 – Windows Installer Elevation of Privilege…
CVE-2024-38217 – Windows Mark of the Web Security Feature Bypass …
CVE-2024-38226 – Microsoft Publisher Security Feature Bypass …
CVE-2024-43491 – Microsoft Windows Update Remote Code Execution.
…
[The] Mark of the Web Security Feature Bypass … the vulnerability was publicly disclosed last month by Joe Desimone … and is believed to have been exploited since 2018. [It] allows custom LNK files … to make the file open when passing … security warnings [and] causes the command in the LNK file to execute without warning.
What’s a 9.8 doozy? Gyana Swain IDs: Microsoft warns about old bug updates Windows 10, patches serious errors
“Prevent further rollbacks”
Rated 9.8 out of 10 in severity, CVE-2024-43491 … … The flaw affects devices running Windows 10 version 1507, including Windows 10 Enterprise 2015 LTSB (long-term service release) and Windows 10 IoT Enterprise 2015 LTSB, which is still supported. … (Later versions of Windows 10 are not affected.)
…
This issue is caused by a coding error caused by security updates released between March and August 2024. … Subsequent updates or security patches released since March 12 may cause system t The process returned optional features such as Internet Explorer 11, Windows Media Player, and the MSMQ server core. reverting to their unregistered versions, leaving them vulnerable. … The September 2024 Servicing Stack Update (KB5043936) and the corresponding Security Update (KB5043083) … should “prevent rollbacks” and restore system security.
A horse’s mouth? MSRC puts on a brave face: CVE-2024-43491
“It caused a code error”
This CVE is marked as Usage Available. [It] documents the rollback of fixes that address vulnerabilities that affected … Windows 10 (version 1507). Some of these CVEs were known to be exploited.
…
Starting with the Windows security update released on March 12, 2024, … As a result, any Optional Components that were processed with updates released since March 12, 2024 (KB5035858) are it was seen as “not working” by the service technician and reverted to its RTM version.
How do these things always happen? StrangerHereMyself complains like this:
Windows development is staffed at $6 an hour [overseas contractors]. Microsoft is no longer serious about the development of Windows, it only adds features that will improve its quality and stock price (like the terrible AI). The attack surface is therefore getting bigger and bigger. Nothing is ever removed because no one knows if it will damage things.
Skilled people have all been transferred to other projects: Most likely AI and Azure.
Is that right? gweihir, on the other hand, admits:
Yes, it looks like that. These things are getting worse, related to the capabilities of the attackers. MS really lacks on the engineering side.
Better install the patch rollup ASAP, eh? Wannabe Techguy has a better idea:
“Even better, stop installing Windows” – the best advice. I got out of that mess in 2012.
Victory or death! u/joshtaco translates to Orcish:
Lok-tar ogar! Ready to push this to 10,000 servers/workstations. … All updated, no content visible.
Meanwhile, Ritchcraft has it feelings:
As far as I’m concerned, Windows is the only major zero-day vulnerability right now. Thank you Nadella.
And finally:
“The hottest new project of all time.”
In the past by And Finally
You are readingSB Blogwatch by Rich Jennings. Richi offers the best blog features, the best forums, and the most amazing websites – so you don’t have to. Hate mail can be directed to@RiCHI@richij, @[email protected]@richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not look at the laser with the other eye. E&OE. 30.
Image credit: NordWood (via Unsplash; measured and cultivated)
#Microsoft #Fixes #Days #YEARS