Patch Tuesday: September 2024

Every month on the second Tuesday, Microsoft and other vendors release security software patches in what has become known as Patch Tuesday. This Patch Tuesday, Microsoft released fixes for 79 vulnerabilities, 4 of which are known to have been exploited in the wild. A patch that is being exploited in the wild before a patch is released is known as a zero-day.

One of the zero-day vulnerabilities addressed in this month’s Patch Tuesday release is an elevation of privilege vulnerability affecting the Windows Installer (CVE-2024-38014) that could allow an attacker to gain SYSTEM level privileges. Microsoft has yet to release any details regarding how this vulnerability could be exploited. There is also a security feature bypass affecting Microsoft Publisher allowing macro execution via a malicious document (CVE-2024-38226). "An attacker who successfully exploited this vulnerability could bypass Office macro policies used to block untrusted or malicious files," explains Microsoft's advisory.

Another is a Remote Code Execution (RCE) vulnerability in Windows Update that only affects versions of Windows 10 (CVE-2024-43491). Exploiting this vulnerability would allow an attacker to roll back fixes for previous vulnerabilities affecting Optional Components, re-introducing these previously patched vulnerabilities. This vulnerability only affects Windows 10, version 1507, which has already reached end of life as of 2017, but also impacts Windows 10 Enterprise 2015 LTSM and Windows 10 IoT Enterprise 2015 LTSB. According to Microsoft other Windows versions are not affects.

Mark of the Web bypasses have become common in Patch Tuesdays, with this one being no different. The Mark of the Web is a metadata field attached to a file that indicates it was downloaded from the Internet. This feature is used in conjunction with other security features in Windows and Office to prevent some malicious activity. This month we see patches for CVE-2024-38217 and CVE-2024-43487. The first had previously been disclosed by Joe Desimone who has written extensively on the initial access technique. It is also the fourth vulnerability in the batch where exploitation has been observed.

Multiple vulnerabilities affecting Microsoft SharePoint Server with remote code execution (RCE) were addressed. Several require authenticated access with Site Owner permissions (CVE-2024-43464, CVE-2024-38227, CVE-2024-38228) while one only requires Site Member permissions (CVE-2024-38018).

This month also includes patches for several more vulnerabilities related to Windows networking internals disclosed by researcher Wei from Kunlun Lab. These include a denial-of-service vulnerability requiring LAN access (CVE-2024-38234), two RCE vulnerabilities in the non-default NetNAT service (CVE-2024-38045, CVE-2024-21416), plus another NAT-based RCE (CVE-2024-38119). These come after last month's Patch Tuesday gained a lot of attention after it introduced a fix for the IPv6-based RCE CVE-2024-38063, also disclosed to Microsoft by Wei. However, the only one of these vulnerabilities that scores as closely is CVE-2024-38119 that requires network access and a race condition.

Other potential vulnerabilities of interest include a spoofing vulnerability in MSHTML (CVE-2024-43461). Additionally there is a list of elevation of privilege vulnerabilities that could provide SYSTEM privileges affecting mostly the Kernel Stream Service Driver (CVE-2024-38241, CVE-2024-38242, CVE-2024-38238, CVE-2024-38243, CVE-2024-38244, CVE-2024-38245), but several other system components as well (CVE-2024-38249, CVE-2024-38247, CVE-2024-38252, CVE-2024-38253, CVE-2024-38246, CVE-2024-43457).