On Tuesday, Microsoft unveiled critical updates as part of its Patch Tuesday for September 2024, revealing that three newly discovered security vulnerabilities within the Windows ecosystem are currently being exploited.
The monthly security update addresses a total of 79 vulnerabilities. Of these, seven are categorized as Critical, 71 as Important, and one as Moderate. This is in addition to 26 issues resolved in the Chromium-based Edge browser since last month’s update.
Among the vulnerabilities now being actively exploited are:
- CVE-2024-38014 (CVSS score: 7.8) – Windows Installer Elevation of Privilege Vulnerability
- CVE-2024-38217 (CVSS score: 5.4) – Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
- CVE-2024-38226 (CVSS score: 7.3) – Microsoft Publisher Security Feature Bypass Vulnerability
- CVE-2024-43491 (CVSS score: 9.8) – Microsoft Windows Update Remote Code Execution Vulnerability
Satnam Narang, Senior Staff Research Engineer at Tenable, noted, “The exploitation of CVE-2024-38226 and CVE-2024-38217 can result in bypassing crucial security features designed to prevent the execution of malicious Microsoft Office macros.”
He elaborated that, “In both instances, the victim must be persuaded to open a specially crafted file from an attacker-controlled server. The distinction lies in that exploiting CVE-2024-38226 requires the attacker to be authenticated and possess local access to the system.”
As reported by Elastic Security Labs last month, CVE-2024-38217, also known as LNK Stomping, has been in the wild since February 2018.
CVE-2024-43491 is particularly notable for its resemblance to the downgrade attack previously detailed by cybersecurity firm SafeBreach.
Microsoft acknowledged a vulnerability in the Servicing Stack that has reversed patches for certain Optional Components on Windows 10, version 1507, which initially launched in July 2015. This flaw permits attackers to exploit previously mitigated vulnerabilities on systems running Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) that have received the Windows security update from March 12, 2024 — KB5035858 (OS Build 10240.20526) or subsequent updates up to August 2024.
The resolution involves installing the September 2024 Servicing Stack Update (SSU KB5043936) followed by the September 2024 Windows Security Update (KB5043083).
Additionally, Microsoft’s “Exploitation Detected” assessment for CVE-2024-43491 is attributed to the rollback of fixes addressing vulnerabilities in Optional Components for Windows 10 (version 1507) that had previously been exploited.
“No direct exploitation of CVE-2024-43491 itself has been observed,” the company stated. “Moreover, the Windows product team at Microsoft discovered this issue, and no evidence suggests it is publicly known.”