Microsoft on Tuesday disclosed that three new security flaws impacting the Home windows platform have come below energetic exploitation as a part of its Patch Tuesday replace for September 2024.
The month-to-month security launch addresses a complete of 79 vulnerabilities, of which seven are rated Crucial, 71 are rated Essential, and one is rated Reasonable in severity. That is except for 26 flaws that the tech large resolved in its Chromium-based Edge browser since final month’s Patch Tuesday launch.
The three vulnerabilities which were weaponized in a malicious context are listed beneath, alongside a bug that Microsoft is treating as exploited –
- CVE-2024-38014 (CVSS rating: 7.8) – Home windows Installer Elevation of Privilege Vulnerability
- CVE-2024-38217 (CVSS rating: 5.4) – Home windows Mark-of-the-Net (MotW) Safety Function Bypass Vulnerability
- CVE-2024-38226 (CVSS rating: 7.3) – Microsoft Writer Safety Function Bypass Vulnerability
- CVE-2024-43491 (CVSS rating: 9.8) – Microsoft Home windows Replace Distant Code Execution Vulnerability
“Exploitation of each CVE-2024-38226 and CVE-2024-38217 can result in the bypass of vital security options that block Microsoft Workplace macros from operating,” Satnam Narang, senior workers analysis engineer at Tenable, stated in a press release.
“In each instances, the goal must be satisfied to open a specifically crafted file from an attacker-controlled server. The place they differ is that an attacker would have to be authenticated to the system and have native entry to it to use CVE-2024-38226.”
As disclosed by Elastic Safety Labs final month, CVE-2024-38217 – additionally known as LNK Stomping – is claimed to have been abused within the wild way back to February 2018.
CVE-2024-43491, then again, is notable for the truth that it is much like the downgrade assault that cybersecurity firm SafeBreach detailed early final month.
“Microsoft is conscious of a vulnerability in Servicing Stack that has rolled again the fixes for some vulnerabilities affecting Non-obligatory Parts on Home windows 10, model 1507 (preliminary model launched July 2015),” Redmond famous.
“Which means an attacker may exploit these beforehand mitigated vulnerabilities on Home windows 10, model 1507 (Home windows 10 Enterprise 2015 LTSB and Home windows 10 IoT Enterprise 2015 LTSB) techniques which have put in the Home windows security replace launched on March 12, 2024 — KB5035858 (OS Construct 10240.20526) or different updates launched till August 2024.”
The Home windows maker additional stated it may be resolved by putting in the September 2024 Servicing stack replace (SSU KB5043936) and the September 2024 Home windows security replace (KB5043083), in that order.
It is also value declaring that Microsoft’s “Exploitation Detected” evaluation for CVE-2024-43491 stems from the rollback of fixes that addressed vulnerabilities impacting some Non-obligatory Parts for Home windows 10 (model 1507) which were beforehand exploited.
“No exploitation of CVE-2024-43491 itself has been detected,” the corporate stated. “As well as, the Home windows product staff at Microsoft found this concern, and now we have seen no proof that it’s publicly identified.”
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
- Adobe
- Arm
- Bosch
- Broadcom (together with VMware)
- Cisco
- Citrix
- CODESYS
- D-Hyperlink
- Dell
- Drupal
- F5
- Fortinet
- Fortra
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Google Put on OS
- Hitachi Power
- HP
- HP Enterprise (together with Aruba Networks)
- IBM
- Intel
- Ivanti
- Lenovo
- Linux distributions Amazon Linux, Debian, Oracle Linux, Crimson Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electrical
- MongoDB
- Mozilla Firefox, Firefox ESR, Focus and Thunderbird
- NVIDIA
- ownCloud
- Palo Alto Networks
- Progress Software program
- QNAP
- Qualcomm
- Rockwell Automation
- Samsung
- SAP
- Schneider Electrical
- Siemens
- SolarWinds
- SonicWall
- Spring Framework
- Synology
- Veeam
- Zimbra
- Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP
- Zoom, and
- Zyxel
