Microsoft Patch Tuesday – September 2024

Microsoft patched 79 CVEs in its September 2024 Patch Tuesday release, with seven rated critical, 71 rated as important, and one rated as moderate. This includes patches for 4 Zeroday vulnerabilities.

All 79 bugs have been categorized below

• 30 Elevation of Privilege Vulnerabilities
• 23 Remote Code Execution Vulnerabilities
• 11 Information Disclosure Vulnerabilities
• 8 Denial of Service Vulnerabilities
• 4 Security Feature Bypass Vulnerabilities
• 3 Spoofing Vulnerabilities

Microsoft Windows Update Remote Code Execution Vulnerability

CVE-2024-43491 was assigned a CVSSv3 score of 9.8 is a RCE vulnerability in Microsoft Windows Update affecting Optional Components on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB).

This vulnerability stems from how the Servicing stack handled the applicability of Optional Components because of a triggered code defect. This began with a security update released on March 12, 2024 – KB5035858. The affected Optional Components were flagged as not applicable and reverted to their Release to Manufacturing (RTM) version.

Successful exploitation would result in the rollback of previously mitigated vulnerabilities in the affected optional components in Windows 10 versions as specified above. Its labelled as exploited in-the-wild, however Microsoft states that there is no evidence of direct exploitation of CVE-2024-43491,rather through observed rollbacks of CVEs related to Optional Components for Windows 10 (version 1507).

Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2024-38217 was assigned a CVSSv3 score of 5.4 is a security feature bypass vulnerability affecting Mark of the Web. With, Microsoft notes that it was exploited in the wild and publicly disclosed prior to the patch becoming available. Successful exploitation of this vulnerability requires an attacker to convince a user into opening a specially crafted file that could evade Mark of the Web (MOTW) defenses.

An additional Mark of the Web security feature bypass vulnerability, CVE-2024-43487 with a CVSSv3 score of 6.5, was also patched this month. This flaw was rated as “Exploitation Less Likely” according to the Microsoft Exploitability Index. As with CVE-2024-38217, successful exploitation would involve the attacker convincing a user to open a specially crafted file.

This is the second month in a row that a MOTW security feature bypass vulnerability was exploited in the wild as a zero-day, as Microsoft published an CVE-2024-38213 in August, though this flaw was originally patched as part of its June 2024 Patch Tuesday.

Windows Installer Elevation of Privilege Vulnerability

CVE-2024-38014 is an EoP vulnerability affecting Windows Installer which was observed as being exploited as a zero-day. While Microsoft did not share any details on exploitation, the advisory does note that successful exploitation would grant the attacker SYSTEM level privileges. As with other EoP vulnerabilities, these vulnerabilities are often used as part of post-compromise activity to further compromise a network using elevated account privileges.

Microsoft Publisher Security Features Bypass Vulnerability

CVE-2024-38226 was assigned a CVSSv3 score of 7.3 is a security feature bypass vulnerability affecting Microsoft Publisher. This vulnerability and has been exploited in the wild as a zero-day. To exploit this flaw, an attacker must be authenticated to a target system and convince a user to download a crafted file. This would allow a local attacker to bypass Office macro policies designed to block untrusted and potentially malicious files on the target’s system. According to the advisory, the Preview Pane is not an attack vector for this vulnerability.

Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability

CVE-2024-26186, CVE-2024-26191, CVE-2024-37335, CVE-2024-37338, CVE-2024-37339 and CVE-2024-37340 are a series of RCE vulnerabilities were assigned a CVSSv3 score of 8.8 affecting Microsoft SQL Server Native Scoring. All six of these vulnerabilities are rated as important, , an exploitability index assessment of “Exploitation Less Likely”

Successful exploitation of this vulnerability requires an authenticated attacker to leverage SQL Server Native Scoring to apply pre-trained models to their data without moving it out of the database. While the SQL Server vulnerabilities primarily enable unauthorized data manipulation, they could hypothetically lead to RCE if combined with additional security flaws or misconfigurations that allow SQL command execution.

Microsoft SQL Server Native Scoring Information Disclosure Vulnerability

CVE-2024-37337, CVE-2024-37342 and CVE-2024-37966 are information disclosure vulnerabilities were assigned a CVSSv3 score of 7.1 affecting Microsoft SQL Server Native Scoring. The exploitability index assessment of “Exploitation Less Likely.” Successful exploitation of this vulnerability by a threat actor with authenticated access to Microsoft SQL Server Native Scoring could potentially allow the reading of small portions of heap memory. The disclosed memory could contain sensitive data, including user credentials, session tokens, or application-level information, which may lead to further security risks.

Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2024-38018 is a critical severity RCE affecting Microsoft SharePoint Server with a CVSSv3 score of 8.8 and an exploitability index assessment of “Exploitation More Likely.” While Microsoft has provided no information on exploitability, a threat actor would generally need to be authenticated and have sufficient permissions for page creation to take advantage of this RCE in Microsoft SharePoint Server.

Patch Tuesday Summary