Attackers are already actively exploiting 4 of the 79 vulnerabilities for which Microsoft issued a patch this week as a part of its month-to-month safety replace.
Two of the zero-day bugs give attackers a solution to bypass essential safety protections in Home windows and due to this fact must be on the high of any group’s precedence checklist for remediation.
One of many remaining zero-days is an elevation of privilege flaw that permits entry to system-level privileges; the opposite is a bug that rolled again, or reintroduced, vulnerabilities in sure variations of Home windows 10 for which Microsoft had beforehand issued patches.
In complete, Microsoft’s September replace contained seven essential distant code execution (RCE) and elevation of privilege vulnerabilities. The corporate assessed 19 of the CVEs in its newest updates as vulnerabilities that attackers usually tend to exploit as a result of they allow distant code execution, contain assaults which can be low in complexity, require no person interplay, and exist in broadly deployed merchandise, in addition to different components.
Safety Bypass Zero-Days
One of many safety bypass vulnerabilities, tracked as CVE-2024-38226, impacts Microsoft Writer. It permits an attacker with authenticated entry to a system to bypass Microsoft Workplace macros for blocking untrusted and malicious recordsdata. “An authenticated attacker might exploit the vulnerability by convincing a sufferer, by way of social engineering, to obtain and open a specifically crafted file from a web site which might result in an area assault on the sufferer laptop,” Microsoft stated. The corporate gave the vulnerability a average CVSS severity rating of 6.8 of 10, presumably as a result of an attacker would want to persuade a person to open a malicious file to ensure that any exploit to work.
The opposite safety bypass zero-day bug in Microsoft’s September replace is CVE-2024-38217, within the Home windows Mark of the Internet (MoTW) characteristic that’s designed to guard customers towards probably dangerous recordsdata and content material downloaded from the Internet. The vulnerability permits an attacker to sneak malicious recordsdata previous MoTW defenses and trigger what Microsoft described as “restricted loss” of integrity and availability of software repute checks and different security measures. Microsoft assigned CVE-2024-38217 a severity score of 5 as a result of to use it an attacker would want to persuade potential victims to go to an attacker-controlled website after which obtain a malicious file from there.
“Exploitation of each CVE-2024-38226 and CVE-2024-38217 can result in the bypass of vital security measures that block Microsoft Workplace macros from working,” Satnam Narang, senior employees analysis engineer at Tenable, stated in a press release. “In each instances, the goal must be satisfied to open a specifically crafted file from an attacker-controlled server. The place they differ is that an attacker would must be authenticated to the system and have native entry to it to use CVE-2024-38226,” he stated.
RCE and Privilege Escalation Zero-Days
The 2 different bugs in Microsoft’s newest replace that attackers are already actively exploiting are CVE-2024-38014 and CVE-2024-43491. CVE-2024-38014 is an elevation of privilege vulnerability in Home windows Installer that attackers can use to achieve system-level privileges. As with the opposite zero-days, Microsoft’s advisory supplied no particulars on the exploit exercise focusing on the bug or when it might need began. Regardless of the continued assaults focusing on CVE-2024-38014, Microsoft assessed the flaw as solely reasonably extreme (7.8 on 10 on the CVSS scale) as a result of an attacker would already have to have compromised an affected system to use the vulnerability.
CVE-2024-43491, in the meantime, is a high-severity (CVSS rating 8.5) RCE in Microsoft Home windows Replace. The vulnerability rolls again fixes that Microsoft issued in March for sure variations of Home windows 10. In accordance with Microsoft, the vulnerability provides attackers a solution to exploit vulnerabilities that Microsoft beforehand mitigated in Home windows 10, model 1507, between March and August. “Prospects want to put in each the servicing stack replace (KB5043936) AND safety replace (KB5043083), launched on September 10, 2024, to be absolutely protected against the vulnerabilities that this CVE rolled again,” Microsoft stated.
Kev Breen, senior director of risk analysis at Immersive Lab, advocated that directors pay shut consideration to Microsoft’s Official Notes for CVE-2024-43491. “There are a variety of caveats to this one,” Breen stated in emailed feedback. “The brief model is that some variations of Home windows 10 with elective elements enabled was left in a weak state,” since March.
That is the second month in a row the place Microsoft has given directors a number of zero-days to deal with. In August, the corporate disclosed six of them — equal to the entire for the whole yr as much as that time.
Different Excessive-Precedence Bugs
Different bugs of word within the newest replace in response to safety researchers embrace CVE-2024-43461, a Home windows spoofing vulnerability; CVE-2024-38018, a Microsoft SharePoint Server RCE; and CVE-2024-38241 and CVE-2024-38242, two elevation-of-privilege vulnerabilities in Kernel Streaming Service Driver.
CVE-2024-43461 impacts all supported variations of Microsoft Home windows. It’s much like CVE-2024-38112, a zero-day bug that Microsoft patched in July after at the least two risk teams had been exploiting it for 18 months. Attackers might leverage the exploits for CVE-2024-38112 in assaults towards the brand new CVE-2024-43416, in response to Saeed Abbasi, supervisor of vulnerability analysis at Qualys. “There exists a excessive chance of exploitation, as this vulnerability allows attackers to spoof reputable net content material, resulting in unauthorized actions corresponding to phishing and knowledge theft,” Abbasi stated in emailed feedback.
Organizations have to prioritize patching the Microsoft SharePoint Server RCE vulnerability (CVE-2024-38018) as a result of no mitigations or workarounds can be found for it, stated Tom Bowyer, director IT safety of Automox, in emailed feedback. “The potential influence of this CVE is important, particularly given the business-critical nature SharePoint servers play in organizations that make the most of them,” and the benefit of exploitation.
Ben McCarthy, lead cybersecurity engineer at Immersive Labs, recognized the Kernel Streaming Service Driver flaws (CVE-2024-38241 and CE-2024-38242) as vital to deal with as a result of they’re current on the kernel stage and provides attackers a solution to bypass safety controls, escalate privileges, execute arbitrary code, and take over the entire system.
To date this yr, Microsoft has disclosed a complete of 745 vulnerabilities throughout its merchandise, in response to numbers maintained by Automox. Microsoft has recognized simply 33 of them as essential.