Microsoft’s September 2024 Patch Tuesday update reveals three actively exploited critical vulnerabilities in the Windows platform, part of a broader release addressing 79 vulnerabilities across its ecosystem. Of these, seven are classified as Critical, 71 as Important, and one as Moderate. The vulnerabilities span across the Windows operating system and Microsoft’s Chromium-based Edge browser. Additionally, Microsoft has resolved 26 security flaws in Edge since last month’s Patch Tuesday update. The three critical vulnerabilities under active exploitation include privilege escalation and security bypass flaws that can be used to undermine key protective features of Windows, such as blocking malicious macros in Office. These vulnerabilities highlight the increasing sophistication of attacks and the importance of timely patching. Organizations are urged to deploy the available patches immediately to mitigate risks, as the vulnerabilities could allow attackers to elevate privileges or execute malicious code on unpatched systems. Microsoft’s swift action in addressing these flaws underscores the need for proactive security measures, particularly in environments that rely heavily on Microsoft technologies.

Key Vulnerabilities Under Active Exploitation

Among the vulnerabilities disclosed, four have been weaponized or are being actively exploited. These include:

1. CVE-2024-38014 (CVSS score: 7.8)
   Windows Installer Elevation of Privilege Vulnerability
   This flaw allows attackers to gain elevated privileges on the target system through exploitation of a flaw in Windows Installer.
2. CVE-2024-38217 (CVSS score: 5.4)
   Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
   Exploitation of this vulnerability allows attackers to bypass security features that normally prevent the execution of malicious Microsoft Office macros. This vulnerability is particularly dangerous when a user is convinced to open a specially crafted file hosted on an attacker-controlled server.
3. CVE-2024-38226 (CVSS score: 7.3)
   Microsoft Publisher Security Feature Bypass Vulnerability
   Like CVE-2024-38217, this vulnerability enables the bypass of security features designed to block macros in Microsoft Office documents. However, in this case, an attacker must have authenticated access to the system, making local access a requirement.
4. CVE-2024-43491 (CVSS score: 9.8)
   Microsoft Windows Update Remote Code Execution Vulnerability
   This vulnerability, which affects Windows Update, poses a significant risk as it enables remote code execution on unpatched systems. Although no active exploitation has been detected, Microsoft is treating it as a severe risk because of its high CVSS score and the potential consequences if exploited.

Detailed Analysis of Weaponized Vulnerabilities

• CVE-2024-38217: Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability

This vulnerability is also referred to as “LNK Stomping,” a technique that has been abused since at least February 2018. MotW is a key security feature that flags files originating from untrusted sources, warning users about potential risks and blocking macros. However, attackers can bypass this feature by manipulating LNK files, thus allowing malicious code execution.

The attacker would need to trick a user into opening a specially crafted file hosted on a remote server. Once opened, macros in the Microsoft Office suite could run, potentially leading to further exploitation or system compromise.

• CVE-2024-43491: Windows Update Remote Code Execution Vulnerability

CVE-2024-43491 stands out due to its similarity to a downgrade attack detailed by cybersecurity firm SafeBreach in August 2024. This vulnerability involves a flaw in the Windows Servicing Stack that could lead to a rollback of previously implemented security fixes. An attacker could exploit previously mitigated vulnerabilities in Windows 10 systems (version 1507, also known as Windows 10 Enterprise 2015 LTSB) if the vulnerable update is installed.

Although Microsoft has confirmed no active exploitation of CVE-2024-43491, its critical nature demands immediate attention. The vulnerability is notable because it stems from issues introduced in Windows security updates released between March and August 2024, specifically KB5035858 (OS Build 10240.20526).

Fixes and Mitigations

Microsoft has released two updates to address these vulnerabilities:

1. September 2024 Servicing Stack Update (SSU KB5043936)
2. September 2024 Windows Security Update (KB5043083)

These updates must be installed in sequence to ensure full protection against CVE-2024-43491 and other vulnerabilities in Windows 10 version 1507. While Microsoft has not detected exploitation of CVE-2024-43491 in the wild, they emphasize that the vulnerability was discovered internally, meaning it was not publicly known before the patch.

Broader Vendor Security Patches

Alongside Microsoft, numerous other vendors have issued security updates over the past few weeks to address vulnerabilities across a variety of products and services. This comprehensive list includes:

• Adobe
• Arm
• Bosch
• Broadcom (including VMware)
• Cisco
• Citrix
• CODESYS
• D-Link
• Dell
• Drupal
• F5
• Fortinet
• Fortra
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Google Wear OS
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networks)
• IBM
• Intel
• Ivanti
• Lenovo
• Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• MongoDB
• Mozilla Firefox, Firefox ESR, Focus and Thunderbird
• NVIDIA
• ownCloud
• Palo Alto Networks
• Progress Software
• QNAP
• Qualcomm
• Rockwell Automation
• Samsung
• SAP
• Schneider Electric
• Siemens
• SolarWinds
• SonicWall
• Spring Framework
• Synology
• Veeam
• Zimbra
• Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP
• Zoom, and
• Zyxel

Linux distributions such as Amazon Linux, Debian, Oracle Linux, Red Hat, and Ubuntu have also been included in recent patch releases. Other notable vendors include HP, Intel, Lenovo, Palo Alto Networks, and Synology.

Remediation Steps

1. CVE-2024-38014 (Windows Installer Elevation of Privilege):
   Apply the September 2024 Windows security update.
2. CVE-2024-38217 (Windows MotW Security Feature Bypass):
   Educate users to avoid opening files from untrusted sources and apply the security patch.
3. CVE-2024-38226 (Microsoft Publisher Security Feature Bypass):
   Ensure local users have limited access and install the latest update.
4. CVE-2024-43491 (Windows Update Remote Code Execution):
   Install the September 2024 Servicing Stack Update (KB5043936) followed by the Windows security update (KB5043083).
5. Update Antivirus Definitions:
   Ensure antivirus and endpoint protection systems are updated to detect exploitation attempts.
6. Monitor for Suspicious Activity:
   Continuously monitor network and endpoint logs for signs of exploitation related to these vulnerabilities.
7. Review Security Policies:
   Implement or reinforce security policies that restrict macro execution and untrusted file handling across the organization.