Microsoft Security Update Summary (September 10, 2024)

Update[German]On September 10, 2024, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 79 vulnerabilities (CVEs), including seven critical vulnerabilities, four of which are classified as 0-day (three are already being exploited). Below is a compact overview of these updates that were released on Patchday.


Advertising

Notes on the updates

A list of updates can be found on this Microsoft site. Details on the update packages for Windows, Office etc. are available in separate blog posts.

Windows 10/11, Windows Server

All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.

Windows Server 2012 R2

Windows Server 2012 /R2 will receive regular security updates until October 2023. After this date, an ESU license will be required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).

Fixed vulnerabilities

Tenable has published this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:

  • CVE-2024-43491: Microsoft Windows Update Remote Code Execution vulnerability, CVEv3 Score 9.8, critical; The critical RCE vulnerability in Microsoft Windows Update affects optional components in Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB). Successful exploitation would result in previously mitigated vulnerabilities being restored in the affected optional components in the above Windows 10 versions The vulnerability dates back to update KB5035858 from March 12, 2024 and this is being exploited in the wild. The Tenable article lists affected optional components.
  • CVE-2024-38217: Windows Mark of the Web Security Feature Bypass Vulnerability, CVEv3 Score 5.4, important; To successfully exploit this vulnerability, an attacker must trick a user into opening a specially crafted file that can bypass the Mark of the Web (MOTW) protections. Microsoft points out that the vulnerability was exploited in the wild and publicly disclosed before the patch was available. A MotW vulnerability was already patched in August 2024.
  •  CVE-2024-38014: Windows Installer Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; The EoP vulnerability in Windows Installer was exploited as a zero-day vulnerability. The advisory points out that the attacker would have SYSTEM privileges if the vulnerability were successfully exploited.
  • CVE-2024-38226: Microsoft Publisher Security Features Bypass vulnerability, CVEv3 Score 7.3, important; To exploit this vulnerability, an attacker must authenticate to a target system and trick a user into downloading a crafted file. This would allow a local attacker to bypass Office macro policies designed to block untrusted and potentially malicious files on the target system. According to the notes, the preview window is not an attack vector for this vulnerability. The vulnerability has been exploited in the wild as a zero-day vulnerability.
  • CVE-2024-26186, CVE-2024-26191, CVE-2024-37335, CVE-2024-37338, CVE-2024-37339, CVE-2024-37340: Microsoft SQL Server Native Scoring Remote Code Execution vulnerability, CVEv3 Score 8.8, important; To successfully exploit this vulnerability, an authenticated attacker must use SQL Server Native Scoring to apply pre-trained models to their data without removing it from the database. While the SQL Server vulnerabilities primarily allow for unauthorized data manipulation, they could hypothetically lead to RCE if combined with additional vulnerabilities or misconfigurations that allow for SQL command execution. Exploitation is considered "Exploitation Less Likely".
  • CVE-2024-37337, CVE-2024-37342, CVE-2024-37966: Microsoft SQL Server Native Scoring Information Disclosure Vulnerability, CVEv3 Score 7.1, important; Successful exploitation of this vulnerability by a threat actor with authenticated access to Microsoft SQL Server Native Scoring could allow small portions of heap memory to be read. The exposed memory could contain sensitive data, including user credentials, session tokens, or application-level information, which could lead to further security risks. Exploitation is considered "Exploitation Less Likely".
  • CVE-2024-38018: Microsoft SharePoint Server Remote Code Execution vulnerability, CVEv3 Score 8.8, critical; A threat actor would generally need to be authenticated and have sufficient page creation privileges to exploit this RCE in Microsoft SharePoint Server. Classified as Exploitation More Likely.

A list of all detected CVEs can be found on this Microsoft site, excerpts are available at Tenable. Below is the list of patched products:


Advertising

  • Azure CycleCloud
  • Azure Network Watcher
  • Azure Stack
  • Azure Web Apps
  • Dynamics Business Central
  • Microsoft AutoUpdate (MAU)
  • Microsoft Dynamics 365 (on-premises)
  • Microsoft Graphics Component
  • Microsoft Management Console
  • Microsoft Office Excel
  • Microsoft Office Publisher
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Outlook for iOS
  • Microsoft Streaming Service
  • Power Automate
  • Role: Windows Hyper-V
  • SQL Server
  • Windows Admin Center
  • Windows AllJoyn API
  • Windows Authentication Methods
  • Windows DHCP Server
  • Windows Installer
  • Windows Kerberos
  • Windows Kernel-Mode Drivers
  • Windows Libarchive
  • Windows MSHTML Platform
  • Windows Mark of the Web (MOTW)
  • Windows Network Address Translation (NAT)
  • Windows Network Virtualization
  • Windows PowerShell
  • Windows Remote Access Connection Manager
  • Windows Remote Desktop Licensing Service
  • Windows Security Zone Mapping
  • Windows Setup and Deployment
  • Windows Standards-Based Storage Management Service
  • Windows Storage
  • Windows TCP/IP
  • Windows Update
  • Windows Win32K – GRFX
  • Windows Win32K – ICOMP

Similar articles:
Office updates from September 3, 2024
Microsoft Security Update Summary (September 10, 2024)
Patchday: Windows 10/Server Updates (September 10, 2024)
Patchday: Windows 11/Server 2022-Updates (September 10, 2024)
Windows Server 2012 / R2 and Windows 7 (September 10, 2024)
Microsoft Office Updates (September 10, 2024)


Advertising

This entry was posted in Office, Security, Update, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).