Microsoft has disclosed four zero-day vulnerabilities being actively exploited in the wild as part of its latest Patch Tuesday update for September 2024. This release continues a concerning trend observed throughout the year, with multiple critical vulnerabilities identified and patched on a monthly basis. In total, Microsoft’s September updates address 79 vulnerabilities, seven of which are classified as critical, underscoring the persistent security challenges faced by organizations relying on Microsoft software.
Key Zero-Day Vulnerabilities and Critical Flaws
Among the four zero-day vulnerabilities disclosed, two are particularly noteworthy: CVE-2024-38226 and CVE-2024-38014. CVE-2024-38226 is a security feature bypass vulnerability in Microsoft Publisher. This flaw could allow attackers to circumvent Microsoft Office’s default macro policies designed to block untrusted or malicious files. By convincing a user to open a specially crafted file in Publisher, an adversary could initiate a local attack on the victim’s system. The risk is heightened by the fact that macros, which are often exploited to embed malicious code, are supposed to be blocked by default across Microsoft Office applications.
CVE-2024-38014 is another zero-day flaw actively exploited in the wild, targeting Windows Installer. This vulnerability can grant attackers SYSTEM-level privileges, posing a severe threat to affected systems. Notably, this issue impacts Windows 11, version 24H2—a version currently limited to specific Microsoft Copilot+ devices—alongside older versions of Windows 10 and 11. The severity of these vulnerabilities highlights the critical need for timely updates and vigilant monitoring of patch deployments.
Other Notable Vulnerabilities
The September Patch Tuesday also addressed CVE-2024-38217, a publicly disclosed vulnerability in Windows Mark of the Web (MOTW). This flaw allows attackers to bypass standard MOTW detection mechanisms, potentially leading to undetected attacks through malicious files downloaded from the internet. As MOTW is a critical security feature that helps identify files originating from untrusted sources, its compromise poses a significant risk.
Additionally, Cisco Talos’ Vulnerability Research team identified an information disclosure vulnerability in the AllJoyn API, tracked as CVE-2024-38257. This flaw could allow unauthorized access to uninitialized memory, although it is deemed “less likely” to be exploited due to the absence of required user interaction or privileges. However, even vulnerabilities with a lower likelihood of exploitation need attention, as they could be leveraged in conjunction with other vulnerabilities.
The most severe issue among this month’s patches is CVE-2024-43491, a remote code execution vulnerability in Windows Update, which has been given a near-maximum severity score of 9.8 out of 10. Although Microsoft has provided limited details about the nature of this vulnerability, its high severity score and the potential for remote exploitation make it a critical priority for all affected users.
SharePoint Server Vulnerabilities
SharePoint Server also features prominently in this month’s update, with four remote code execution vulnerabilities (CVE-2024-38018, CVE-2024-38227, CVE-2024-38228, and CVE-2024-43464) identified as “more likely” to be exploited. In three of these cases, an attacker with Site Owner permissions could inject and execute arbitrary code within the SharePoint Server environment. However, CVE-2024-38018 stands out as it only requires Site Member permissions, potentially lowering the bar for exploitation. The presence of these vulnerabilities in widely used enterprise software like SharePoint Server emphasizes the need for robust access controls and vigilant patch management in corporate environments.
Security Measures and Mitigation
In response to the identified vulnerabilities, Cisco Talos has released new Snort rules designed to detect and mitigate exploitation attempts. The rulesets, numbered 63979 – 63984 and 63987 – 63994, include protections against a wide array of the vulnerabilities disclosed in the September update. Snort 3 rules, specifically 301008 – 301013, further extend this coverage. For organizations utilizing Cisco Security Firewall, it is crucial to update to the latest ruleset to ensure optimal protection. Open-source Snort Subscriber Rule Set customers can also maintain their defenses by downloading the latest rule packs from Snort.org.
Microsoft’s Patch Tuesday updates and the accompanying security advisories serve as a crucial reminder of the ever-evolving threat landscape. Organizations are urged to prioritize patch management, promptly deploy updates, and continuously monitor for potential exploitation of known vulnerabilities. While Microsoft’s monthly patches address a broad spectrum of security issues, the proactive identification and mitigation of zero-day vulnerabilities are essential in protecting critical systems and sensitive data from sophisticated cyber threats.
A complete list of the vulnerabilities addressed in September’s Patch Tuesday can be accessed on Microsoft’s official update page. Organizations are encouraged to review the details and take immediate action to mitigate risks associated with these security flaws.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : RansomHub Ransomware Exploits Kaspersky’s TDSSKiller to Disable EDR Software