September 2024 Update: Microsoft Uncovers Four Zero-Day Vulnerabilities

Each month’s second Tuesday sees the release of a package of solutions for Windows by Microsoft. This Tuesday revealed four zero-day vulnerabilities, two highly critical vulnerabilities, and several related updates from Adobe.

During “Update Tuesday,” as Microsoft dubs it, major software companies like Adobe also roll out key security patches. This is the time when updates are implemented across corporate networks, typically happening around mid-morning Pacific Standard Time to prevent administrators and users from facing a last-minute rush at the start of the week or the next day.

For administrators, Patch Tuesday acts as a crucial prompt to guarantee that their Microsoft security updates are current.

Four zero-day vulnerabilities exploited by attackers

The four vulnerabilities that attackers have exploited include:

• CVE-2024-43491: a loophole in the Windows 10 version 1507 Servicing Stack which exposes Optional Components to vulnerabilities previously believed to be mitigated. Later versions of Windows 10 remain unaffected. The flaw is addressed in the September 2024 Servicing Stack update and the September 2024 Windows security update.
• CVE-2024-38226: a bypass vulnerability in Microsoft Publisher.
• CVE-2024-38217: a method used by attackers to circumvent Mark of the Web security alerts.
• CVE-2024-38014: a vulnerability that results in improper privilege management, potentially granting unwanted privileges to attackers.

DISCOVER: IBM’s Chris Hockings expresses positivity about the internet’s security in the upcoming five years thanks to passkeys and defenses against deepfakes.

Two vulnerabilities categorized as ‘critical’ by NIST

The National Vulnerability Database employs the Common Vulnerability Scoring System to assign a “critical” rating to vulnerabilities that meet a specific severity threshold in their prioritization mechanism. These vulnerabilities, demanding immediate attention, include CVE-2024-43491 as mentioned earlier, and CVE-2024-38220, which relates to an elevation of privilege flaw in the Azure Stack Hub.

Overall, 79 flaws were addressed in the September Update Tuesday.

Adobe issues its monthly security patches

Adobe published its set of fixes for Photoshop, Cold Fusion, Acrobat Reader, Illustrator, Premiere Pro, After Effects, Audition, and Media Encoder.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts