Microsoft has released fixes for four critical remote code vulnerabilities as part of its September 2024 Patch Tuesday update, indicating that these vulnerabilities are actively being exploited.
Additionally, the company has addressed three critical elevation of privilege vulnerabilities. Microsoft noted that patches are also necessary for Windows 11 version 24H2, which is set to launch later this year. New purchasers of CoPilot+ PCs must apply these Patch Tuesday updates to ensure their devices remain fully secure.
One of the elevation of privilege vulnerabilities, CVE-2024-38014, impacts the Windows Installer, a component that facilitates the installation and uninstallation of software. If successfully exploited, this flaw could allow an attacker to gain system privileges and take control of the affected machine.
Another critical vulnerability, CVE-2024-43491, affects the functionality of Windows Update. Security firm Qualys reported that this stack vulnerability enables remote code execution by an attacker. Despite its known status, Microsoft has previously retracted fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (originally released in July 2015). Qualys indicated that this might enable attackers to exploit previously mitigated vulnerabilities on systems running Windows 10 version 1507 (specifically Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) that have installed the Windows security update released on 12 March or any subsequent updates up to August. Later versions of Windows 10 are not affected.
Another critical patch, CVE-2024-38018, addresses a remote code vulnerability found in Microsoft SharePoint Server. Microsoft has cautioned that SharePoint administrators may encounter specific issues requiring additional workarounds post-patch. For SharePoint Enterprise Server 2016, Microsoft has integrated the OneDrive for Business modern user experience; however, this feature is limited to Software Assurance customers, necessitating that those without this assurance disable the new functionality to remain compliant with Microsoft’s licensing terms.
The update also addresses a remote code vulnerability in the Windows Network Address Translation (NAT) system (CVE-2024-38119). According to Qualys, an attacker must have network access to exploit this vulnerability successfully.
Among the critical elevation of privilege vulnerabilities are two that affect Azure Stack Hub (CVE-2024-38216 and CVE-2024-38220), which allows users to run applications in an on-premises environment and provide Azure services from their data centers. A successful exploitation of these vulnerabilities could grant an attacker unauthorized access to system resources and allow actions to be performed with the same privileges as the compromised process.
Another vulnerability pertains to Azure Web Apps, which allows users to host web applications across various programming languages, including .NET, Java, Node.js, Python, and PHP. According to Qualys, an authenticated attacker might exploit a flaw in authorization to elevate privileges over the network within Azure Web Apps.
The U.S. Cybersecurity and Infrastructure Security Agency has urged users to address all vulnerabilities classified as “critical” in the update before 1 October 2024.