Microsoft has released security updates for 79 vulnerabilities in the September 2024 Patch Tuesday release. These include four actively exploited zero days (CVE-2024-38014, CVE-2024-38217, CVE-2024-38226, CVE-2024-43491). Seven of the vulnerabilities are rated as critical in severity, while the remaining 72 are rated as important or moderate.
September 2024 Risk Analysis
This month's top risk type is elevation of privilege (38%) followed by remote code execution (29%) and information disclosure (14%).
Figure 1. Details of September 2024 Patch Tuesday vulnerabilities via attack techniques
Windows products received the most patches this month with 46 patches, followed by Extended Security Update (ESU) with 23 patches and Microsoft SQL Server with 13 patches.
Figure 2. Breakdown of product families affected by Tuesday's September 2024 patch
The Zero-Day vulnerability has been actively exploited in Microsoft Windows Update
Microsoft Windows Update has received a patch for CVE-2024-43491, which has a criticality and CVSS score of 9.8. Microsoft has identified a remote code execution (RCE) vulnerability in the service pack that reverses previously implemented fixes and mitigations, effectively rolling back previous security patches. This vulnerability allows attackers to exploit these vulnerabilities that were previously mitigated on Windows 10 version 1507 systems that have installed Windows Security Update KB5035858 or other updates released through August 2024. Newer versions of Windows 10 are not affected by this vulnerability. The issue only affects Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB.
SeverityCVSS ScoreCVEDescriptionCritical9.8CVE-2024-43491 Microsoft Windows Update Remote Code Execution Vulnerability
Table 1. Microsoft Windows Update zero day
Actively exploiting Zero-Day vulnerabilities in Windows Installer
Windows Installer has received a patch for CVE-2024-38014, with a critical severity and CVSS score of 7.8. An attacker exploiting this vulnerability could gain system-level privileges, allowing complete control of the affected system. According to Microsoft, a proof-of-concept kit to exploit the vulnerability is not yet publicly available.
SeverityCVSSDescriptionCVEImportant7.8CVE-2024-38193Windows Installer Elevation of Privilege Vulnerability
Table 2. Windows Installer zero day
Actively exploiting Zero-Day vulnerabilities in Windows Publisher
Windows Publisher has received a patch for CVE-2024-38226, with a critical severity and CVSS score of 7.3. An authenticated attacker could exploit this vulnerability by tricking a web visitor into downloading and opening a specially crafted file from a website. If successful, the attacker can bypass Office macro policies designed to block untrusted or malicious files. This local attack requires social engineering to convince the victim to interact with the malicious file on their computer, potentially compromising the system's security.
SeverityCVSSCVEDescriptionImportant 7.3CVE-2024-38226Microsoft Publisher Security Feature Bypass Vulnerability
Table 3. Zero day in Microsoft Publisher Security
Actively exploiting the Zero-Day vulnerability in Windows Mark of the Web
Windows Mark of the Web (MOTW), a tool that evaluates the integrity of files downloaded from the web, has received a patch for CVE-2024-38217, which has a severity of HAM and a CVSS score of 5.4. An attacker could create a file that evades MOTW defenses on the end user's system, which could disable SmartScreen and Windows Attachment Services security features. This could compromise the integrity of the system and reduce the effectiveness of these protection measures. This security feature has been bypassed several times over the years (March 2023, July 2023, November 2023, February 2024, August 2024), making it a prime target for threat actors who use it in phishing attacks. According to Microsoft, a proof-of-concept kit to exploit the vulnerability is not yet publicly available.
SeverityCVSS ScoreCVEDescriptionImportant5.4CVE-2024-38217Windows Web Security Feature Marker Bypass Vulnerability
Table 4. Zero day in Windows Mark of the Web
Critical vulnerabilities in Windows, SharePoint, and Azure
CVE-2024-43491 is a critical remote code execution (RCE) vulnerability affecting Windows Update and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows an attacker to execute remote code. Details are covered in the “An Actively Exploited Zero-Day Vulnerability in Microsoft Windows Update” section above.
CVE-2024-38220 is a critical RCE vulnerability affecting Azure Stack Hub and has a CVSS score of 9.0. This vulnerability could allow an attacker to gain unauthorized access to applications and content of other Azure Cloud tenants. A successful exploit could give the attacker access to system resources with the same privileges as the compromised process, potentially allowing deeper system penetration and unauthorized actions across the network. To exploit this vulnerability, an authenticated attacker would need to wait for the victim user to initiate a connection to the Azure cloud tenant.
CVE-2024-38018 is a critical RCE vulnerability affecting Microsoft SharePoint Server and has a CVSS score of 8.8. An authenticated attacker with at least site member level permissions could remotely execute code on SharePoint Server via a network-based attack. According to Microsoft, a proof-of-concept kit to exploit the vulnerability is not yet publicly available.
CVE-2024-38194 is a critical RCE vulnerability affecting Azure Web Apps and has a CVSS score of 8.4. A malicious actor with valid credentials can leverage an authorization flaw in Azure Web Apps to gain elevated permissions across the network. Microsoft has already fully addressed this vulnerability within the Azure infrastructure, and users of the affected service do not need to take any action. This CVE is published only to maintain transparency about this issue and its resolution.
CVE-2024-38216 is a critical RCE vulnerability affecting Azure Stack Hub and has a CVSS score of 8.2. To exploit this vulnerability, an authenticated attacker must wait for the victim user to establish a connection. Once the attack is successful, the attacker can gain unauthorized access to system resources, potentially executing actions with privileges consistent with the compromised process. This breach can lead to further system intrusions, unauthorized network activity, and even the ability to interact with other tenants' applications and content.
CVE-2024-38119 is a critical elevation of privilege vulnerability affecting Windows Network Address Translation (NAT) and has a CVSS score of 7.5. Exploiting this vulnerability requires the attacker to initially breach the protected network perimeter. Additionally, the attacker needs to successfully win a race condition against the normal execution flow of the program or system to complete the exploit. These requirements add layers of complexity to the attack, which may limit its usefulness. As of now, Microsoft states that proof of concept is not yet available.
CVE-2024-43464 is a critical elevation of privilege vulnerability affecting Microsoft SharePoint Server and has a CVSS score of 7.2. An attacker with site owner privileges or higher privileges could exploit this vulnerability by uploading a maliciously crafted file to the target SharePoint Server and sending crafted API requests to the target SharePoint Server. This process deserializes file parameters, allowing the attacker to inject arbitrary code and execute it on the SharePoint Server, effectively resulting in remote code execution. As of now, Microsoft states that proof of concept is not yet available.
SeverityCVSSCVEDescriptionCritical9.8CVE-2024-43491 Microsoft Windows Remote Code Execution VulnerabilityCritical9.0CVE-2024-38220Azure Stack Hub Elevation Privilege VulnerabilityCritical8.8CVE-2024-38018Microsoft SharePoint Server8.4C VE-2024-38194Azu re Web Apps Elevation of Critical Privilege Vulnerability8.2CVE-2024-38216Azure Stack Hub Elevation of Critical Privilege Vulnerability7.5CVE-2024-38119 Windows Network Address Translation (NAT) Remote Code Execution Vulnerability Critical7.2CVE-2024- 43464 Microsoft SharePoint Server remote code execution vulnerability
Table 5. Critical vulnerabilities in Windows, SharePoint, and Azure
Tuesday dashboard patch in Falcon platform
To get a visual overview of systems affected by this month's vulnerabilities, you can use the newly available Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform under the Exposure Management > Vulnerability Management > Dashboards page. Pre-made dashboards display the latest three months of Patch Tuesday vulnerabilities.
Not all relevant vulnerabilities have patches: consider mitigation strategies
As we've learned with other high-profile vulnerabilities, such as Log4j, not all exploitable vulnerabilities can be easily patched. As with the ProxyNotShell vulnerabilities, it is extremely important to develop a response plan for how to defend your environments in the absence of a patching protocol.
Regularly reviewing your patching strategy should remain part of your program, but you should also look more holistically at your organization's approaches to cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events daily from millions of sensors deployed in 176 countries. Watch this demo to see the Falcon platform in action.
He learns more
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposure here.
About CVSS results
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard used by CrowdStrike and many other cybersecurity organizations to assess and report the severity and characteristics of software vulnerabilities. The base CVSS score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating to the CVSS scores. Learn more about logging vulnerabilities in this article.
Additional resources
For more information about products in the Microsoft Extended Security Updates program, see the vendor instructions here. Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. Learn how CrowdStrike's external attack surface module, CrowdStrike® Falcon Surface™, can detect unknown, exposed and vulnerable cyber-facing assets, enabling security teams to stop adversaries in their tracks. Make prioritization painless and effective. See how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards. Experience the next generation of CrowdStrike antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.
