Microsoft September 2024 Patch Tuesday: Comprehensive Breakdown of Fixes and Flaws
Overview of September 2024 Patch Tuesday
In September 2024, Microsoft rolled out its monthly Patch Tuesday updates, addressing 79 vulnerabilities across a range of Microsoft products. This release includes critical security patches, with four zero-day vulnerabilities actively exploited in the wild at the time of disclosure. These zero-day flaws are particularly concerning as attackers were already using them before the release of official fixes, making swift patch applications essential for organizations and individuals alike.
Key Vulnerabilities Addressed
1. CVE-2024-38014
There is a critical elevation of privilege vulnerability in **Windows Installer**. This flaw allows attackers to execute arbitrary code with SYSTEM-level privileges, enabling them to gain complete control over a targeted system. Once exploited, an attacker can use this vulnerability to bypass security mechanisms and facilitate further attacks, such as installing malware or manipulating sensitive data.
2.CVE-2024-38217
A security feature bypass in **Windows Mark of the Web** (MOTW). This vulnerability enables attackers to exploit specially crafted malicious files that bypass MOTW warnings, which typically prompt users when a file originates from an untrusted source, such as the internet. Attackers can trick users into executing malicious files without the usual warnings, significantly increasing the risk of social engineering attacks.
3. CVE-2024-43491
A remote code execution (RCE) vulnerability in **Microsoft Windows Update**inadvertently reversed previous patches. Due to an error in the update mechanism, this vulnerability rolled back security fixes applied in earlier updates, nullifying them and making previously patched systems vulnerable again. Attackers could exploit this flaw to execute arbitrary code remotely, leading to system compromise.
4. CVE-2024-38226
A security feature bypass in **Microsoft Publisher**. Attackers can exploit this flaw to circumvent Office macro policies, allowing malicious macros to execute without proper restrictions. Given the prevalence of macro-based malware, this vulnerability presents a serious threat, particularly in enterprise environments using Microsoft Office.
Broader Impact on Windows Systems
The September 2024 Patch Tuesday addressed many components, including core elements such as Windows Installer, Microsoft Office, Windows Update, and more specialized areas like Microsoft SQL Server and Windows Hyper-V. Notably, the patches affecting Windows Hyper-V and Microsoft SQL Server required extensive testing and validation due to the significant changes in how the Microsoft Installer handles software installations and rollbacks. The added complexity necessitated additional scrutiny to ensure that enterprise environments could apply these patches without causing disruptions in system stability or functionality.
The Microsoft Hyper-V patches also included critical updates addressing memory corruption issues that could lead to denial-of-service (DoS) conditions or remote code execution. Organizations leveraging these technologies must prioritize patch testing and deployment to prevent potential outages or security incidents.
Unpatched Systems and the Rollback Issue
Despite the rollout of these updates, a critical flaw remained, impacting **Windows 10** systems. CVE-2024-43491, related to the Windows Update mechanism, caused the unintended rollback of security fixes, exposing several Windows 10 PCs for several months. This issue affected systems with optional components enabled, such as **Windows Sandbox** or **Windows Subsystem for Linux**. The rollback reintroduced vulnerabilities, allowing attackers to exploit these flaws anew. The situation underscores the importance of continuously monitoring and auditing patch deployment processes to ensure security updates are applied as intended.
Mitigation and Recommendations
To fully mitigate the vulnerabilities addressed in the September 2024 Patch Tuesday, Microsoft strongly advises users to install the September 2024 Servicing Stack Update (SSU) and the September 2024 Windows Security Updates. This ensures that all vulnerabilities, including those reintroduced by the rollback issue, are appropriately patched.
Conclusion
The September 2024 Patch Tuesday highlights the ongoing cat-and-mouse game between attackers and defenders in cybersecurity. The critical vulnerabilities addressed, particularly the actively exploited zero-day flaws, emphasize the importance of timely patching and proactive security practices. A well-structured patch management process is essential to maintaining system security and minimizing exposure to known vulnerabilities.
Microsoft September 2024 Patch Tuesday fixes four zero-days, 79 flaws
Bug Left Some Windows PCs Dangerously Unpatched – Krebs on Security
Critical patch for VMWARE
Broadcom released critical updates to address a major security vulnerability affecting VMware vCenter Server. This flaw, identified as CVE-2024-38812 and carrying a CVSS score of 9.8, is a heap overflow vulnerability within the DCE/RPC protocol that, if exploited, could allow remote code execution.
According to Broadcom, a malicious actor with network access to the vCenter Server could exploit this vulnerability by sending specially crafted network packets, potentially leading to remote code execution. In addition to this critical flaw, Broadcom addressed two similar vulnerabilities, CVE-2024-37079 and CVE-2024-37080, with CVSS scores of 9.8 in June 2024.
Another vulnerability resolved in this update is CVE-2024-38813 (CVSS score: 7.5), a privilege escalation flaw in the vCenter Server. A threat actor could use this flaw to escalate privileges to root by sending malicious packets over the network.
Security researchers ZBL and SRS from team TZL discovered these vulnerabilities during the Matrix Cup cybersecurity competition in China in June 2024. Patch for vulnerabilities in the following versions:
- vCenter Server 8.0 (Fixed in 8.0 U3b)
- vCenter Server 7.0 (Fixed in 7.0 U3s)
- VMware Cloud Foundation 5.x (Fixed in 8.0 U3b)
- VMware Cloud Foundation 4.x (Fixed in 7.0 U3s)
Although Broadcom has not detected any malicious exploitation of these vulnerabilities, they strongly advise customers to update their systems immediately to prevent potential security breaches.
Importance of Patching
Given that we have VMware and use some of these affected components in our environment, we must act quickly. We promptly applied these patches to safeguard our systems and prevent potential compromise. Notifying many of our customers of these vulnerabilities is also essential.
These vulnerabilities, particularly those involving memory management and corruption issues, pose significant risks, allowing for remote code execution and privilege escalation. Ensuring these updates are applied is crucial to maintaining the security of our infrastructure and customers’ environments.
Broader Cybersecurity Concerns
In a related development, the **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** and the **Federal Bureau of Investigation (FBI)** issued a joint advisory urging organizations to address **cross-site scripting (XSS) vulnerabilities**. These vulnerabilities arise from improper input validation, allowing threat actors to inject malicious scripts into web applications. Both government bodies advocate for increased focus on eliminating these flaws, which can lead to data manipulation and theft.
Staying on top of such developments and applying security patches is essential to maintaining our cybersecurity posture and that of our customers.
Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution