Microsoft's September Patch Tuesday Fixes 79 Flaws, Including 4 Zero-Days

In September's Patch Tuesday update, Microsoft resolved 79 newly discovered Common Vulnerabilities and Exposures (CVEs), seven of which were rated as critical. In addition, the company addressed updates for eight older vulnerabilities. As usual, the majority of patches targeted the Windows operating system, but organizations utilizing SQL Server or SharePoint should prioritize updates for those platforms.

The Zero-Day Vulnerabilities

Zero-Day CVE-2024-43491

The first zero-day is a critical remote-code execution vulnerability in Microsoft Windows Update (CVE-2024-43491), with a base CVSS score of 9.8. It affects systems running Windows 10, version 1507, with certain optional features like LPD Print Service, Internet Explorer 11, and Windows Media Player, on updates from March 2024 to August 2024.

Though Windows 10 version 1507’s general support ended in 2017, two specialized editions—Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB—remain supported until October 2025. These versions received updates during this patch cycle.

Microsoft noted that this zero-day stems from an issue with the Servicing Stack that rolled back previously applied fixes. Systems running Windows 10 versions released after November 2015 are not impacted. To mitigate the vulnerability, administrators should install both the September 2024 Servicing Stack Update (SSU KB5043936) and the September 2024 Windows Security Update (KB5043083) in the specified order.

Zero-Day CVE-2024-38226

The second zero-day is a security feature bypass vulnerability in Microsoft Publisher (CVE-2024-38226) with a CVSS score of 7.3, affecting Publisher 2016, Office LTSC 2021, and Office 2019. Successful exploitation allows attackers to circumvent Office macro policies meant to block untrusted files, although they need to convince the user to open a specially crafted file to initiate the attack.

Zero-Day CVE-2024-38217

The third zero-day (CVE-2024-38217), rated with a CVSS score of 5.4, is a Mark of the Web (MOTW) bypass vulnerability that impacts both Windows desktop and server systems. Microsoft confirmed the existence of functional exploit code for this vulnerability, which requires user interaction to succeed. Attackers can evade MOTW protections, including SmartScreen and Attachment Services prompts.

Zero-Day CVE-2024-38014

The fourth zero-day (CVE-2024-38014) is a Windows Installer privilege escalation flaw with a CVSS score of 7.8. It affects both desktop and server systems and enables attackers to gain system privileges without requiring user interaction. This vulnerability is often used in combination with others to enhance an attack. Attackers typically combine multiple vulnerabilities to gain access and escalate privileges.

Other Key Updates from September Patch Tuesday

Microsoft issued 13 new patches for SQL Server, with some rated as high as 8.8 on the CVSS scale. Two previously issued CVEs were also readdressed. Administrators should review Microsoft’s guidance carefully to avoid issues with drivers during patching. SQL Server patches include driver updates, and organizations must verify compatibility with OLE DB Drivers 18 or 19, or consult vendors for specific instructions to ensure smooth installation.

Additionally, Microsoft fixed five critical SharePoint vulnerabilities, including two notable remote-code execution bugs (CVE-2024-38018 and CVE-2024-43464). These flaws could allow attackers with basic privileges to execute code, steal data, or disrupt systems.

Ongoing BlackLotus Mitigation

A major mitigation effort related to the BlackLotus UEFI bootkit continues to pose challenges for administrators. Microsoft initially addressed the Secure Boot bypass vulnerability (CVE-2023-24932) in May 2023, but the mitigations were not enabled by default in subsequent updates, including July Patch Tuesday. Admins need to follow detailed instructions in Microsoft’s KB5025885 to test and deploy these mitigations, though there are risks involved, such as failed firmware updates or devices entering BitLocker recovery mode.