Microsoft releases September 2024 patch, fixes 79 flaws including multiple zero-days, 7 critical

Microsoft's September 2024 Patch Tuesday addressed a total of 79 security vulnerabilities, including four actively exploited zero-days and one publicly disclosed vulnerability. Among these, seven were rated as critical, involving remote code execution (RCE) or elevation of privilege (EoP) flaws.

The patch addresses:

• 30 Elevation of Privilege Vulnerabilities
• 4 Security Feature Bypass Vulnerabilities
• 23 Remote Code Execution Vulnerabilities
• 11 Information Disclosure Vulnerabilities
• 8 Denial of Service Vulnerabilities
• 3 Spoofing Vulnerabilities

Actively Exploited Zero-Day Vulnerabilities

1. CVE-2024-38014 (CVSS score 7.8) - Windows Installer Elevation of Privilege Vulnerability - This flaw allows attackers to gain SYSTEM-level privileges on Windows systems, providing complete control over the affected system. Microsoft has not disclosed how the vulnerability is exploited in attacks. Discovered by Michael Baer from SEC Consult Vulnerability Lab.

2. CVE-2024-38217 (CVSS score 5.4) - Windows Mark of the Web (MoTW) Security Feature Bypass Vulnerability - Publicly disclosed by Joe Desimone of Elastic Security, this vulnerability allows attackers to bypass security warnings for files downloaded from untrusted sources. Known as "LNK stomping," this technique involves creating specially crafted LNK files that evade Smart App Control and MoTW defenses, leading to a limited loss of security feature integrity.

3. CVE-2024-38226 (CVSS score 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability - Allows an attacker to bypass Office macro policies that block untrusted or malicious files, thereby potentially enabling the execution of harmful macros. Details on the disclosure and method of exploitation were not provided by Microsoft.

4. CVE-2024-43491 (CVSS score 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability - A critical RCE vulnerability in the Servicing Stack allows an attacker to exploit previously mitigated vulnerabilities on Windows 10 version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB). To mitigate this, Microsoft recommends installing the September 2024 Servicing Stack update (SSU KB5043936) followed by the September 2024 Windows security update (KB5043083).

5. CVE-2024-43461 (CVSS score 8.8) - Windows MSHTML Platform Spoofing Vulnerability -  is also claimed to be exploited, although it's still listed on Microsoft’s website as not exploited. Exploitation was confirmed by threat actor Void Banshee.

Microsoft reports following critical vulnerabilities addressed

1. CVE-2024-43491 - Microsoft Windows Update Remote Code Execution Vulnerability - Allows remote code execution by exploiting weaknesses in the Windows Update process, specifically affecting Windows 10 version 1507.

2. CVE-2024-38220 - Azure Stack Hub Remote Code Execution Vulnerability - A remote code execution flaw in Azure Stack Hub that could allow attackers to gain unauthorized access to other Azure tenants' resources.

3. CVE-2024-38018 - Microsoft SharePoint Server Remote Code Execution Vulnerability - An RCE vulnerability in Microsoft SharePoint Server, requiring at least Site Member level permissions for exploitation.

4. CVE-2024-38194 - Azure Web Apps Elevation of Privilege Vulnerability - An elevation of privilege vulnerability in Azure Web Apps, allowing attackers to gain elevated permissions within a network.

5. CVE-2024-38216 - Azure Stack Hub Elevation of Privilege Vulnerability - A privilege escalation flaw in Azure Stack Hub that could enable unauthorized access to system resources.

6. CVE-2024-38119 - Windows Network Address Translation (NAT) Remote Code Execution Vulnerability - A remote code execution flaw in Windows NAT, which requires an attacker to be on the same network and successfully exploit a race condition.

7. CVE-2024-43464 - Microsoft SharePoint Server Remote Code Execution Vulnerability - Exploitation involves uploading a maliciously crafted file to SharePoint Server and sending API requests to achieve remote code execution.

Enterprises should prioritize deploying patches for the four zero-days and the critical vulnerabilities. Organizations should educate users on the risks associated with interacting with untrusted files and websites to mitigate security feature bypasses like the MoTW bypass.

Full list of patched vulnerabilities