In September 2024, Microsoft released security updates addressing 79 vulnerabilities, including four zero-day flaws—three of which were actively exploited and one publicly disclosed. The updates also fixed seven critical vulnerabilities related to remote code execution and privilege elevation.
The breakdown of vulnerabilities includes:
- 30 Elevation of Privilege
- 4 Security Feature Bypass
- 23 Remote Code Execution
- 11 Information Disclosure
- 8 Denial of Service
- 3 Spoofing
- CVE-2024-38014: A Windows Installer Elevation of Privilege vulnerability, allowing SYSTEM privilege attacks.
- CVE-2024-38217: A Mark of the Web (MOTW) Security Feature Bypass exploited since 2018.
- CVE-2024-38226: A Microsoft Publisher Security Feature Bypass, enabling macros in malicious files.
- CVE-2024-43491: A Windows Update Remote Code Execution vulnerability reintroducing old CVEs on Windows 10 version 1507.
Critical updates were also made for platforms such as Azure, SQL Server, and Microsoft SharePoint, addressing flaws in Azure Stack, SQL Server, Windows Hyper-V, and others. These updates underscore the importance of timely patching, especially for enterprise users.
You said:
ChatGPT said:
The September 2024 Patch Tuesday update from Microsoft fixed a total of 79 vulnerabilities, addressing several critical and high-severity issues, including four zero-day vulnerabilities. Here’s a deep dive into these vulnerabilities and their implications:
1. Overview of Patch Tuesday Fixes
- Total Vulnerabilities: 79
- Critical Vulnerabilities: 7These were either Remote Code Execution (RCE) or Elevation of Privilege (EoP) flaws.
- Four Zero-Days: Microsoft addressed four zero-day vulnerabilities, three of which were actively exploited, and one was publicly disclosed.
2. Breakdown by Vulnerability Type
- Elevation of Privilege (EoP) Vulnerabilities: 30
- Remote Code Execution (RCE) Vulnerabilities: 23
- Information Disclosure Vulnerabilities: 11
- Denial of Service (DoS) Vulnerabilities: 8
- Security Feature Bypass Vulnerabilities: 4
- Spoofing Vulnerabilities: 3
3. Details of the Four Zero-Days
a. CVE-2024-38014: Windows Installer Elevation of Privilege Vulnerability
- Description: This vulnerability allows attackers to gain SYSTEM privileges by exploiting Windows Installer. SYSTEM privileges give attackers full control over a system, allowing them to install programs, view or change data, and create new user accounts.
- Impact: The exploitation of this vulnerability could lead to full system compromise.
- Discovery: Discovered by Michael Baer from SEC Consult Vulnerability Lab.
- Microsoft's Response: No specific details have been shared about the method of exploitation, but it has been confirmed that it is being actively exploited in the wild.
b. CVE-2024-38217: Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
- Description: This vulnerability involves a flaw in the Mark of the Web (MOTW) feature that was publicly disclosed by Joe Desimone of Elastic Security. The issue, known as “LNK Stomping,” involves creating specially crafted LNK files that bypass MOTW protections.
- Impact: By exploiting this flaw, attackers can evade Windows security features like SmartScreen, allowing them to run malicious files without triggering security warnings. This flaw has reportedly been exploited since 2018.
- Method of Exploitation: The attack leverages non-standard target paths or internal structures in LNK files. When a user opens such a file, it bypasses the standard security checks, executing commands without warnings.
- Demonstration: A video demonstration of this technique showcases how an attacker can bypass the MOTW and SmartScreen defenses.
c. CVE-2024-38226: Microsoft Publisher Security Feature Bypass Vulnerability
- Description: This vulnerability bypasses the security protections in Microsoft Publisher that are supposed to block embedded macros in downloaded documents.
- Impact: An attacker can bypass Office macro policies, which are intended to block untrusted or malicious files. This could lead to the execution of malicious macros without user consent.
- Microsoft's Response: While no details on how it was exploited or who discovered it have been released, this flaw is also actively exploited.
d. CVE-2024-43491: Windows Update Remote Code Execution Vulnerability
- Description: This vulnerability is a bit different from the others as it reintroduces older vulnerabilities to previously patched components.
- Impact: It affects older Windows 10 versions, specifically version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB), by rolling back fixes for Optional Components like Internet Explorer 11, IIS, and Windows Media Player. This could allow previously patched vulnerabilities in these components to be exploited again.
- Microsoft’s Advisory: The flaw impacts Windows systems that installed the March 2024 Windows security update (KB5035858) or later. The flaw was marked as exploited because older vulnerabilities were reintroduced, but Microsoft has not found evidence of active exploitation.
4. Critical Vulnerabilities Fixed
Several of the critical vulnerabilities fixed in this Patch Tuesday are of particular concern, especially the ones involving remote code execution. Below are a few examples:
a. CVE-2024-43495: Windows libarchive Remote Code Execution Vulnerability
- Description: This vulnerability in the Windows libarchive component could allow an attacker to remotely execute arbitrary code on the system.
- Impact: Remote code execution vulnerabilities can be particularly dangerous, as they allow attackers to run malicious code on a target system without physical access. This could lead to system takeover or malware deployment.
b. CVE-2024-43464: Microsoft SharePoint Server Remote Code Execution Vulnerability
- Description: Exploiting this vulnerability allows an attacker to execute code remotely on a SharePoint server. SharePoint is widely used in enterprise environments, making this vulnerability a high-priority target.
- Impact: Successful exploitation could lead to server compromise, data theft, or disruption of services.
c. CVE-2024-38119: Windows Network Address Translation (NAT) Remote Code Execution Vulnerability
- Description: This vulnerability affects the Windows NAT component, potentially allowing attackers to remotely execute code on affected systems.
- Impact: It is marked as critical because of its remote execution capability and the potential to impact a wide range of systems, particularly those that use NAT for network address translation.
5. Key Security Recommendations
- Patch Immediately: Given the nature of these vulnerabilities, especially the actively exploited zero-days, it is crucial for users and administrators to apply the updates as soon as possible.
- Mitigation for Older Systems: The reintroduced vulnerabilities in Windows 10 version 1507 highlight the importance of updating or migrating from older, unsupported systems.
- Monitor for Exploitation: Organizations should monitor for signs of exploitation, particularly with the LNK Stomping issue (CVE-2024-38217), as it has been in the wild for several years.
6. Broader Vendor Updates
In addition to Microsoft’s updates, several other companies released important security patches in September 2024:
- Apache OFBiz: Fixed a critical RCE vulnerability that bypassed previous patches.
- Cisco: Addressed multiple flaws, including a backdoor admin account vulnerability in its Smart Licensing Utility.
- Google: Backported fixes for an elevation of privilege vulnerability on Pixel devices to other Android devices.
- Fortinet, Ivanti, Zyxel: Released updates for critical vulnerabilities affecting their respective products.
- Veeam: Fixed a critical RCE flaw in Backup & Replication software.
7. Conclusion
Microsoft’s September 2024 Patch Tuesday delivered critical security updates, particularly for vulnerabilities being actively exploited in the wild. The four zero-days fixed highlight the persistent risk of privilege escalation and security feature bypasses. System administrators are strongly advised to apply these patches immediately, especially to systems running legacy versions of Windows.
