Yesterday was September 10, 2024, and you know what that means — it’s Patch Day, the second Tuesday of every month when Microsoft releases security updates for Windows.
This time, 79 security vulnerabilities have been addressed, with all but one categorized as “critical” or “high risk.” According to Microsoft, four of the vulnerabilities are already being exploited in the wild, so make sure you update as soon as you can.
Which Windows versions are affected?
The majority of the vulnerabilities — counting 67 in total — are spread across various Windows versions, including Windows 10, Windows 11, and Windows Server.
Windows 7 and 8.1 are no longer mentioned in the security reports, so they could still be vulnerable. Unless you have a very good reason, you should consider switching to Windows 10 (22H2) or Windows 11 (23H2) to continue receiving security updates. (Note that Windows 10 will stop being supported in 2025, so Windows 11 is the better choice.)
Patch Day also includes updates for Windows 11 24H2, although the fall update is still in testing with Insiders and not yet publicly available.
That said, if you’re still running on Windows 11 22H2, you should really update to Windows 11 23H2 as soon as you can. Otherwise you run the risk of a forced update, which could be disruptive. (Windows 11 22H2 will receive its final security update on October 8, 2024.)
Zero-day Windows vulnerabilities patched
As mentioned, a few of the patched Windows security vulnerabilities are already being used in real-world attacks. (It’s disputed whether one of them, the spoofing issue CVE-2024-43461, is being actively exploited.)
Microsoft hasn’t offered many details on these zero-day vulnerabilities in the security update guide, but Dustin Childs touches on them in the Zero Day Initiative blog. Childs claims that an exploit of the spoofing issue has been discovered in the wild and was reported to Microsoft, but the vulnerability isn’t listed as under attack by Microsoft.
The most important security vulnerabilities on Patch Day in September 2024
CVE | vulnerable software | Severity | Impact | exploited | known in advance |
---|---|---|---|---|---|
CVE-2024-43491 | Windows Update | critical | RCE | yes | no |
CVE-2024-38217 | Windows Mark of the Web | high | SFB | yes | yes |
CVE-2024-38014 | Windows Installer | high | EoP | yes | no |
CVE-2024-38226 | Office: Publisher | high | SFB | yes | no |
CVE-2024-43461 | Windows MSHTML | high | Spoofing | controversial * | no |
CVE-2024-38119 | Windows NAT | critical | RCE | no | no |
CVE-2024-38018 | SharePoint Server | critical | RCE | no | no |
CVE-2024-43464 | SharePoint Server | critical | RCE | no | no |
RCE: Remote Code Execution
EoP: Elevation of Privilege
SFB: Security Feature Bypass
Regarding vulnerability CVE-2024-38217, Microsoft says the Security Feature Bypass vulnerability isn’t just being exploited but was publicly known in advance. This one affects the “Mark of the Web” (MotW) on downloaded files, making it possible to circumvent protections.
Regarding vulnerability CVE-2024-43491, it’s the only Remote Code Execution (RCE) issue among the four zero-days. This one only affects certain older versions of Windows 10 and can only be eliminated by first installing update KB5043936, then update KB5043083. Microsoft says newer versions of Windows 10 aren’t affected.
Regarding vulnerability CVE-2024-38014, this Elevation of Privilege (EoP) threat exists in the Windows Installer for all currently supported versions of Windows, including Server editions. An attacker who exploits this flaw can give themself system authorizations without user interaction. (The exact mechanism isn’t clear, but typically attackers combine EoP vulnerabilities with RCE vulnerabilities to remote run malicious code.)
Other critical Windows vulnerabilities
There are also several security vulnerabilities classified as critical, one of which affects Windows and is not yet under attack.
The RCE vulnerability CVE-2024-38119 affects Network Address Translation (NAT) and requires the attacker to be on the same network. This is because NAT is generally not routing-capable, meaning that it can’t be exploited across network boundaries.
Also, Windows Remote Desktop Services has seven vulnerabilities, including four RCE vulnerabilities. There’s another RCE vulnerability each in Microsoft Management Console (CVE-2024-38259) and Power Automate for desktop (CVE-2024-43479).
Microsoft Office vulnerabilities
In this patch, Microsoft eliminated 11 vulnerabilities in its Office products, including a zero-day vulnerability and two other vulnerabilities classified as critical.
The Security Feature Bypass vulnerability CVE-2024-38226 was discovered by an unknown person in Microsoft Publisher and exploited immediately. For this, an attacker has to convince a user to open a specially prepared file in Publisher. If successful, the macro guidelines in Office are bypassed and malicious code is executed.
Microsoft classifies two RCE vulnerabilities in SharePoint Server (CVE-2024-38018, CVE-2024-43464) as critical. However, another RCE vulnerability (CVE-2024-38227) in SharePoint Server and one in Visio (CVE-2024-43463) are only considered high risk.
SQL Server vulnerabilities
Microsoft eliminated 13 security vulnerabilities in SQL Server this month, with six of them being RCE vulnerabilities with CVSS scores of 8.8. Microsoft also closed three EoP vulnerabilities and four data leaks.
Web browser updates
The latest security update for Microsoft’s Edge browser is version 128.0.2739.63 from September 3, based on Chromium 128.0.6613.120. However, it doesn’t yet appear in the security update guide. (The release notes are also rather sparse and only appeared a week late.) The 128.0.2739.67 update to Edge on September 5 only fixes a few bugs.
However, Google released a new security update for Chrome on September 10, which fixes several vulnerabilities classified as high risk. Microsoft has yet to respond to this.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.