Security operations · 2 MIN READ · MATT JASTRAM · SEP 11, 2024 · TAGS: MDR / vulnerability prioritization
TL;DR
- We focused on four critical Microsoft CVEs this month to address ASAP
- While Microsoft is still tallying up many CVEs with their releases, September had fewer than August
- These four vulnerabilities we highlighted are already in CISA’s Known Exploited Vulnerability (KEV) database
This Patch Tuesday includes 79 published CVEs from Microsoft.
To save you time, our team reviewed the September 2024 edition of Patch Tuesday, and has called out four CVEs this month for you to focus on.
Microsoft’s September release continues their numerous CVEs, although they did total up fewer than in August (extra time to get that inaugural pumpkin spice latte!). CISA already added four of the vulnerabilities to their Known Exploited Vulnerability (KEV) database with a short remediation timeline—a 10/1/2024 due date for federal agencies and companies with policies aligned with CISA. The four vulnerabilities added to the KEV yesterday were our focus this month and are summarized here:
- Windows Mark of the Web (MotW) Security Feature Bypass Vulnerability: With CVE-2024-38217, attackers used the WebDAV protocol to get the file from the attacker’s remote share, preventing the file from being tagged with a Mark Of the Web indicator and bypassing security checks. Last month, our SOC identified a malware-based incident exploiting a Mark of the Web security feature bypass. An email contained an HTML attachment, which leveraged a similar type of vulnerability to circumvent the Mark of the Web. This eventually led to attackers being able to retrieve files and run malware. This tactic is clearly out in the wild, so we highly recommend you identify if one of the 46 Windows updates impact your infrastructure, and remediate this zero-day immediately.
- Microsoft Windows Update Remote Code Execution Vulnerability: CVE-2024-43491 (Servicing Stack Update (SSU)) addresses improved reliability of the Microsoft update process to mitigate potential issues while installing the latest cumulative updates (LCU). The risk is that if these updates aren’t installed, then previous and ongoing vulnerabilities could be leveraged. Microsoft currently claims that the CVE hasn’t been exploited, but CISA has added this zero-day to the KEV database. If this impacts you, install both the servicing stack update (KB5043936), and the security update (KB5043083), released on September 10, 2024, to address the risk fully.
- Microsoft Publisher Security Feature Bypass Vulnerability: CVE-2024-38226 is used when an attacker attempts to propagate malware that leverages this zero-day vulnerability to bypass Office macro policies used to block malicious files. The Windows product scope is smaller for this CVE, with only six versions of Microsoft Office and Publisher affected. We recommend verifying impact and updating these products accordingly if needed.
- Windows Installer Elevation of Privilege Vulnerability: CVE-2024-38014 occurs when a threat actor successfully exploits this zero-day vulnerability to gain system privileges. Microsoft’s exploitation details have yet to be published, but we’d recommend determining if your systems are vulnerable. A large set of Windows products are impacted (38 total), including: Windows Servers 2008, 2012, 2016, 2019, and 2022, and Windows 10 (four versions) and 11 (eight versions).
That’s it for this month. If you have any questions about these specific vulnerabilities (or others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—get in touch.
