Getty Images

Four zero-days fixed for September Patch Tuesday

Most corrections this month focus on the Windows OS, but enterprises that rely on SQL Server or SharePoint should prioritize deploying the security updates for those platforms.

Deploying patches to correct four zero-days under active exploit should take top priority for Microsoft admins this month.

On September Patch Tuesday, Microsoft addressed 79 new CVEs with seven rated critical. Microsoft also released updates to eight older vulnerabilities. As usual, most fixes were for the Windows operating system. But organizations that rely on SQL Server or SharePoint should roll out fixes for those platforms in short order.

The first zero-day, CVE-2024-43491, is a Microsoft Windows Update remote-code execution vulnerability rated critical with a base CVSS rating of 9.8.

The bug affects systems that run Windows 10 version 1507 on security updates from March 2024 to August 2024 that have certain optional components enabled, such as the LPD Print Service, Internet Explorer 11 and Windows Media Player.

Microsoft released Windows 10 version 1507 in July 2015 and ended support in May 2017. But two specialized versions of that product -- Windows 10 LTSB 2015 and Windows 10 IoT LTSB 2015 Enterprise editions -- have support until October 2025 and received security updates on September Patch Tuesday.

Chris Goettl, vice president of security product management at Ivanti, told TechTarget Editorial that the footprint of affected systems is likely to be small due to the specific nature of those editions.

"I would expect most deployments are in environments with a Windows 10 system hooked up to a device that does not change very often," he said. "This would be used in the manufacturing space or areas where the device is hooked up to a major piece of infrastructure, such as an energy plant."

Microsoft reported that this Windows zero-day stems from a Servicing Stack issue that rolled back corrections for previously patched vulnerabilities. Microsoft said versions of Windows 10 released after November 2015 are not affected.

Admins will have to pay attention and install the September 2024 Servicing Stack Update KB5043936 and September 2024 Windows Security Update KB5043083 in that sequence to mitigate the vulnerability.

The second zero-day is a Microsoft Publisher security feature bypass vulnerability, CVE-2024-38226, rated important with a base CVSS rating of 7.3, affecting Microsoft Publisher 2016, Microsoft Office LTSC 2021 and Microsoft Office 2019.

After successfully exploiting this vulnerability, an attacker can get around Office macro policies that protect the system from untrusted or malicious files. The threat actor must get the user to open a specially crafted file to trigger the exploit.

The third zero-day is a Windows Mark of the Web (MOTW) security feature bypass vulnerability, CVE-2024-38217, rated important with a base CVSS rating of 5.4. It affects Windows desktop and server systems. This flaw was also publicly disclosed, and Microsoft reported that functional exploit code exists.

The exploit requires user interaction so the threat actor must convince the targeted individual to download and open the file. If successful, the attacker can evade MOTW protections in the Windows OS, including SmartScreen Application Reputation checks and Windows Attachment services security prompts.

The fourth zero-day is a Windows Installer elevation-of-privilege vulnerability, CVE-2024-38014, rated important with a base CVSS score of 7.8 that affects both Windows desktop and server systems. A successful exploit gives the attacker system privileges on the device.

This vulnerability only requires low privileges and does not need user interaction, which makes it ideal for a threat actor who combines several vulnerabilities to solidify their position in an organization's environment.

"Typically, this is used in an attack where you chain two or three vulnerabilities together. They get in by convincing the user to click on something they shouldn't. Then, they elevate their privileges and use remote-code execution or the Mark of the Web bypass to install something bad," Goettl said.

Other security updates of note for September Patch Tuesday

Microsoft released security updates for 13 new CVEs for its SQL Server product -- some with an 8.8 CVSS score -- and reissued two CVEs from July Patch Tuesday.

Administrators who patch these relational database management systems will want to read Microsoft's notes closely to avoid driver-related problems during the patching process. While the SQL Server update includes driver fixes, organizations that run their own application should update the system to the Microsoft OLE DB Driver 18 or 19. To update a vendor's application, admins should check with the developer to make sure the drivers are compatible before installation.

"Immediate action is not needed. But admins should take the time to investigate if the environment needs a special touch or if it's just a clean install so they're not delaying things," Goettl said.

Microsoft corrected five Microsoft Office SharePoint vulnerabilities, which are all remote-code execution flaws. Of this group, CVE-2024-38018 and CVE-2024-43464 were rated critical. For CVE-2024-38018, an attacker only needs basic privileges to run code to steal information, modify files or disrupt the system. For CVE-2024-43464, an authenticated attacker could use the flaw to upload and execute code to disrupt the server, modify its files or disclose information.

BlackLotus mitigation process continues to loom over admins

One of the more daunting mitigations for Windows admins in recent memory continues to lurk in the background with no clear enforcement date in sight.

Microsoft first addressed a Secure Boot security feature bypass vulnerability, CVE-2023-24932, in the 2023 May Patch Tuesday security updates. An attacker could exploit the vulnerability using the BlackLotus UEFI bootkit to alter the system boot sequence to gain control of the operating system.

The July Patch Tuesday security update added mitigations for CVE-2023-24932 but did not enable them by default. Microsoft's Knowledge Base article KB5025885 gives lengthy instructions and multiple disclaimers to assist administrators who want to test these mitigations on Windows devices. The instructions explain how to deploy the mitigations and warn IT staff about the potential risks, from failed firmware updates to systems that boot into BitLocker recovery mode.

Consultant Panu Saukko posted a warning to administrators from his account on X, formerly Twitter, to share his concerns about the remediation process, which requires updating certificate definitions, updating the boot manager, enabling the revocation process and updating the firmware. Administrators will need to reboot the machine a total of eight times to complete the process.

After the current deployment phase, Microsoft will implement an enforcement phase to make the mitigations permanent. That date has yet to be announced.

Saukko wrote enforcement could begin in early 2025. But he said he felt it would be delayed due to the need for better tools and improved instructions to execute the mitigation.

Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.

Next Steps

Microsoft repairs 2 zero-days on October Patch Tuesday

Dig Deeper on IT operations and infrastructure management