Microsoft Fixes Five Zero-Day Vulnerabilities and Dozens of Other Windows Security Issues

Microsoft yesterday released a security update for its Windows operating systems. This time, the company has closed 79 vulnerabilities, most of which fall into the “critical” and “high risk” categories. According to Microsoft, four of the vulnerabilities on this list are already being exploited in the wild, so the company advises downloading the security update as soon as possible.

Image source: geralt/Pixabay

Most of the vulnerabilities (67) are found on different versions of Windows, including Windows 10, Windows 11 and Windows Server. Windows 7 and 8.1 versions no longer appear in Microsoft security reports, but they are also potentially at risk. Unless there is a compelling reason, you should still consider upgrading to Windows 10 (22H2) or Windows 11 (23H2) to continue receiving the latest security updates, Microsoft notes. However, it should be remembered that support for Windows 10 will end in 2025.

The latest security patch also includes some updates for Windows 11 24H2, but said major whitewash of the operating system, expected to be released this fall, is still being tested as part of the Windows Insider program and is not yet available to all Windows 11 users.

Closed zero-day vulnerabilities

As noted above, several security vulnerabilities are already being exploited in real attacks. There is currently some debate about whether one of them, namely CVE-2024-43461, is actively used. Microsoft did not provide additional information about these zero-day vulnerabilities in its latest security report, but they were highlighted by cybersecurity expert Dustin Childs on the Zero Day Initiative blog. Childs claims that experts have found a vulnerability that allows the use of fake data. They reported this to Microsoft, but the company did not include it in the list of vulnerabilities that are used in real conditions.

The table below highlights the most dangerous security vulnerabilities in Microsoft’s Patch Day report for September 2024. Note: RCE: Remote Code Execution – remote code execution; EoP: Elevation of Privilege – increasing access privileges; SFB: Security Feature Bypass – bypass security functions. Vulnerabilities that are already being exploited in real conditions are marked in red in the table.

According to Microsoft, the vulnerability CVE-2024-38217 (security feature bypass) is not only exploitable, but was known in advance. This vulnerability affects the Mark of the Web (MotW) feature in uploaded files, which allows security mechanisms to be bypassed.

As for CVE-2024-43491, it is the only remote code execution (RCE) vulnerability among the four zero-day vulnerabilities. It only affects some older versions of Windows 10 and can only be fixed by installing update KB5043936 and then installing update KB5043083. Microsoft says newer versions of Windows 10 are not affected by this vulnerability.

CVE-2024-38014 (Elevation of Privilege, EoP) vulnerability exists in Windows Installer for all currently supported versions of Windows, including server editions. An attacker using this vulnerability could gain system permissions without user interaction. The exact mechanism is unclear, but attackers typically combine EoP vulnerabilities with RCE vulnerabilities to remotely execute malicious code.

Other critical Windows vulnerabilities

The report also identifies several critical vulnerabilities, one of which is related to Windows. These vulnerabilities have not yet been exploited in real conditions. The RCE vulnerability CVE-2024-38119 is related to the Network Address Translation (NAT) feature and requires the attacker to be on the same network as the victim. This is because NAT generally does not support routing, which means it cannot be used beyond the network boundary.

There are seven vulnerabilities associated with Windows Remote Desktop Services, including four RCE (remote code execution) vulnerabilities. The report also identifies one vulnerability each in Microsoft Management Console (CVE-2024-38259) and Power Automate for desktops (CVE-2024-43479).

Microsoft Office vulnerabilities

The new security patch also fixes 11 vulnerabilities related to Microsoft Office products, including one zero-day vulnerability and two critical ones. A security feature bypass vulnerability (CVE-2024-38226) was discovered by an unknown security researcher in Microsoft Publisher. The attackers immediately began to exploit it. To do this, the attacker reportedly needs to convince the user to open a specially crafted file in Publisher. If successful, the Office macros bypass the rules and execute malicious code.

Microsoft has also designated two RCE vulnerabilities in SharePoint Server (CVE-2024-38018, CVE-2024-43464) as “critical.” Another RCE vulnerability (CVE-2024-38227) in SharePoint Server and one in Visio (CVE-2024-43463) are marked as “high risk”.

SQL Server Vulnerabilities

13 security issues have been resolved in SQL Server. Six of them were RCE vulnerabilities with a CVSS rating of 8.8. The company also closed three EoP vulnerabilities and four data leaks.

Browser updates

The latest security update for the Microsoft Edge browser is version 128.0.2739.63, dated September 3, based on Chromium 128.0.6613.120. However, it has not yet appeared in the security update report. The Edge 128.0.2739.67 update on September 5 only fixes a few bugs. Google released a new Chrome security update on September 10th. It covers several high-risk vulnerabilities.