Microsoft on Tuesday launched 79 patches touching eleven product households. Seven of these points, affecting Azure, SharePoint, and Home windows, are thought-about by Microsoft to be of crucial severity. At press time, three of the problems addressed are recognized to be beneath exploit within the wild, with a fourth difficulty not itself beneath exploit, however intertwined with points which might be. (For particulars on this uncommon scenario, please see the “Notable September updates” part beneath.) Microsoft assesses that 11 CVEs, all in Home windows, are by the corporate’s estimation extra more likely to be exploited within the subsequent 30 days. Eight of this month’s points are amenable to detection by Sophos protections, and we embody info on these in a desk beneath.
Along with these patches, the discharge consists of advisory info on three CVEs addressed by patches from Adobe, affecting Reader and ColdFusion; one of many Reader vulnerabilities CVE-2024-41869) is a critical-severity use-after-free with a workable exploit already accessible within the wild. We’re as all the time together with on the finish of this publish extra appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.
By the numbers
- Complete CVEs: 79
- Complete Adobe advisories coated in replace: 3
- Publicly disclosed: 1
- Exploited detected: 4*
- Severity
- Vital: 7
- Necessary: 71
- Reasonable: 1
- Affect
- Elevation of privilege: 30
- Distant code execution: 23
- Info disclosure: 11
- Denial of service: 8
- Safety function bypass: 4
- Spoofing: 3
- CVSS base rating 9.0 or better: 2
- CVSS base rating 8.0 or better: 24
* For info on why we depend CVE-2024-43491 as this month’s fourth exploited-detected CVE regardless of the CVE itself not being detected as beneath exploit, please see the “Notable September updates” part beneath.
Determine 1: This month’s critical-severity patches embody one for which exploitation has already been detected, and two extra for which exploitation is extra doubtless inside the subsequent 30 days
Product households
- Home windows: 47
- SQL Server: 13
- Azure: 6
- SharePoint: 5
- Workplace: 4
- 365: 2
- Dynamics 365: 2
- Microsoft AutoUpdate (MAU) for Mac: 1
- Outlook for iOS: 1
- Energy BI: 1
- Visio: 1
As is our customized for this listing, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on.
Determine 2: Although Home windows as traditional leads the listing of affected product households, a set of Native Scoring points in SQL Server contributed to that product taking 13 patches of its personal
Notable September updates
Along with the problems mentioned above, quite a few particular gadgets advantage consideration.
CVE-2024-38217 — Home windows Mark of the Internet Safety Characteristic Bypass Vulnerability
CVE-2024-43492 — Home windows Mark of the Internet Safety Characteristic Bypass Vulnerability
There are patches for 2 Mark of the Internet vulnerabilities this month, and each are both presently beneath lively exploit within the wild (CVE-2024-38217) or judged by Microsoft as extra more likely to be exploited inside the subsequent 30 days (CVE-2024-43492). The latter bug was discovered in-house at Microsoft and is taken into account to be of reasonable severity. The previous, nevertheless, was disclosed responsibly by Elastic Safety’s Joe Desimone, who has posted concerning the discovery and the reporting course of, and which can be of curiosity to those that observe points round code-signing certificates. The bug impacts all variations of Home windows together with Win 11H24 and is of vital severity.
CVE-2024-38014 — Home windows Installer Elevation of Privilege Vulnerability
This difficulty is beneath lively exploit within the wild. It impacts all variations of Home windows together with Win 11H24.
CVE-2024-43491 – Microsoft Home windows Replace Distant Code Execution Vulnerability
The excellent news is that this difficulty impacts solely sure operational parts of Home windows 10, model 1507 (first launched in July 2015); solely two variations of that construct, Home windows 10 Enterprise 2015 LTSB and Home windows 10 IoT Enterprise 2015 LTSB, are nonetheless beneath help. The dangerous information, for these nonetheless working both of these variations, is that critical-severity distant code execution difficulty, which carries a 9.8 CVE base rating, happens in… the Home windows Servicing Stack. It’s a captivating difficulty for individuals who care about such issues — quite than a coding error per se, Microsoft explains that the construct model numbers themselves “crossed into a variety that triggered a code defect within the Home windows 10 (model 1507) servicing stack that handles the applicability of Elective Parts. In consequence, any Elective Element that was serviced with updates launched since March 12, 2024 (KB5035858) was detected as “not relevant” by the servicing stack and was reverted to its RTM model.” If this difficulty is relevant to your property, it is strongly recommended that you simply intently learn and observe the data Microsoft supplies in KB5043083, because the patch sequence one should observe is exact. That web page additionally features a listing of the precise non-obligatory parts affected, which can assist make clear your publicity.
[29 CVEs] — Home windows 11 24H2 patches
Despite the fact that Home windows 11 24H2 just isn’t but typically launch, simply over a 3rd of this month’s patches have an effect on that platform, together with two (CVE-2024-38014, CVE-2024-38217) for which exploitation has already been detected within the wild. Customers of the brand new Copilot+ PCs who don’t ingest their patches routinely ought to be sure you replace their units.
[0 CVEs] — .NET, Visible Studio, Edge / Chromium, non-iOS Outlook
A uncommon month of respite for .NET and Visible Studio, with no patches launched for these households. Nor are there any this time round associated to Edge, or to Outlook for platforms apart from Apple’s.
Determine 3: Regardless of the predominance of EoP points in current months, RCE continues to guide the pack as we attain the three-quarter mark for 2024.
Sophos protections
| CVE | Sophos Intercept X/Endpoint IPS | Sophos XGS Firewall |
| CVE-2024-38237 | Exp/2438237-A | Exp/2438237-A |
| CVE-2024-38238 | Exp/2438238-A | Exp/2438238-A |
| CVE-2024-38241 | Exp/2438241-A | Exp/2438241-A |
| CVE-2024-38242 | Exp/2438242-A | Exp/2438242-A |
| CVE-2024-38243 | Exp/2438243-A | Exp/2438243-A |
| CVE-2024-38244 | Exp/2438244-A | Exp/2438244-A |
| CVE-2024-38245 | Exp/2438245-A | Exp/2438245-A |
| CVE-2024-43461 | SID:2310127 | SID:2310126 |
As you may each month, in the event you don’t need to wait on your system to tug down Microsoft’s updates itself, you may obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal on your particular system’s structure and construct quantity.
Appendix A: Vulnerability Affect and Severity
This can be a listing of September patches sorted by influence, then sub-sorted by severity. Every listing is additional organized by CVE.
Elevation of Privilege (30 CVEs)
| Vital severity | |
| CVE-2024-38194 | Azure Internet Apps Elevation of Privilege Vulnerability |
| CVE-2024-38216 | Azure Stack Hub Elevation of Privilege Vulnerability |
| CVE-2024-38220 | Azure Stack Hub Elevation of Privilege Vulnerability |
| Necessary severity | |
| CVE-2024-37341 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| CVE-2024-37965 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| CVE-2024-37980 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| CVE-2024-38014 | Home windows Installer Elevation of Privilege Vulnerability |
| CVE-2024-38046 | PowerShell Elevation of Privilege Vulnerability |
| CVE-2024-38188 | Azure Community Watcher VM Agent Elevation of Privilege Vulnerability |
| CVE-2024-38225 | Microsoft Dynamics 365 Enterprise Central Elevation of Privilege Vulnerability |
| CVE-2024-38237 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38238 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38239 | Home windows Kerberos Elevation of Privilege Vulnerability |
| CVE-2024-38240 | Home windows Distant Entry Connection Supervisor Elevation of Privilege Vulnerability |
| CVE-2024-38241 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38242 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38243 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38244 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38245 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38246 | Win32k Elevation of Privilege Vulnerability |
| CVE-2024-38247 | Home windows Graphics Element Elevation of Privilege Vulnerability |
| CVE-2024-38248 | Home windows Storage Elevation of Privilege Vulnerability |
| CVE-2024-38249 | Home windows Graphics Element Elevation of Privilege Vulnerability |
| CVE-2024-38250 | Home windows Graphics Element Elevation of Privilege Vulnerability |
| CVE-2024-38252 | Home windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2024-38253 | Home windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2024-43457 | Home windows Setup and Deployment Elevation of Privilege Vulnerability |
| CVE-2024-43465 | Microsoft Excel Elevation of Privilege Vulnerability |
| CVE-2024-43470 | Azure Community Watcher VM Agent Elevation of Privilege Vulnerability |
| CVE-2024-43492 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability |
Distant Code Execution (23 CVEs)
| Vital severity | |
| CVE-2024-38018 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-38119 | Home windows Community Handle Translation (NAT) Distant Code Execution Vulnerability |
| CVE-2024-43464 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-43491 | Microsoft Home windows Replace Distant Code Execution Vulnerability |
| Necessary severity | |
| CVE-2024-21416 | Home windows TCP/IP Distant Code Execution Vulnerability |
| CVE-2024-26186 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-26191 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37335 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37338 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37339 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37340 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-38045 | Home windows TCP/IP Distant Code Execution Vulnerability |
| CVE-2024-38227 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-38228 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-38259 | Microsoft Administration Console Distant Code Execution Vulnerability |
| CVE-2024-38260 | Home windows Distant Desktop Licensing Service Distant Code Execution Vulnerability |
| CVE-2024-38263 | Home windows Distant Desktop Licensing Service Distant Code Execution Vulnerability |
| CVE-2024-43454 | Home windows Distant Desktop Licensing Service Distant Code Execution Vulnerability |
| CVE-2024-43463 | Microsoft Workplace Visio Distant Code Execution Vulnerability |
| CVE-2024-43467 | Home windows Distant Desktop Licensing Service Distant Code Execution Vulnerability |
| CVE-2024-43469 | Azure CycleCloud Distant Code Execution Vulnerability |
| CVE-2024-43479 | Microsoft Energy Automate Desktop Distant Code Execution Vulnerability |
| CVE-2024-43495 | Home windows libarchive Distant Code Execution Vulnerability |
Info Disclosure (11 CVEs)
| Necessary severity | |
| CVE-2024-37337 | Microsoft SQL Server Native Scoring Info Disclosure Vulnerability |
| CVE-2024-37342 | Microsoft SQL Server Native Scoring Info Disclosure Vulnerability |
| CVE-2024-37966 | Microsoft SQL Server Native Scoring Info Disclosure Vulnerability |
| CVE-2024-38254 | Home windows Authentication Info Disclosure Vulnerability |
| CVE-2024-38256 | Home windows Kernel-Mode Driver Info Disclosure Vulnerability |
| CVE-2024-38257 | Microsoft AllJoyn API Info Disclosure Vulnerability |
| CVE-2024-38258 | Home windows Distant Desktop Licensing Service Info Disclosure Vulnerability |
| CVE-2024-43458 | Home windows Networking Info Disclosure Vulnerability |
| CVE-2024-43474 | Microsoft SQL Server Info Disclosure Vulnerability |
| CVE-2024-43475 | Microsoft Home windows Admin Middle Info Disclosure Vulnerability |
| CVE-2024-43482 | Microsoft Outlook for iOS Info Disclosure Vulnerability |
Denial of Service (8 CVEs)
| Necessary severity | |
| CVE-2024-38230 | Home windows Requirements-Primarily based Storage Administration Service Denial of Service Vulnerability |
| CVE-2024-38231 | Home windows Distant Desktop Licensing Service Denial of Service Vulnerability |
| CVE-2024-38232 | Home windows Networking Denial of Service Vulnerability |
| CVE-2024-38233 | Home windows Networking Denial of Service Vulnerability |
| CVE-2024-38234 | Home windows Networking Denial of Service Vulnerability |
| CVE-2024-38235 | Home windows Hyper-V Denial of Service Vulnerability |
| CVE-2024-38236 | DHCP Server Service Denial of Service Vulnerability |
| CVE-2024-43466 | Microsoft SharePoint Server Denial of Service Vulnerability |
Safety Characteristic Bypass (4 CVEs)
| Necessary severity | |
| CVE-2024-30073 | Home windows Safety Zone Mapping Safety Characteristic Bypass Vulnerability |
| CVE-2024-38217 | Home windows Mark of the Internet Safety Characteristic Bypass Vulnerability |
| CVE-2024-38226 | Microsoft Writer Safety Options Bypass Vulnerability |
| Reasonable severity | |
| CVE-2024-43487 | Home windows Mark of the Internet Safety Characteristic Bypass Vulnerability |
Spoofing (3 CVEs)
| Necessary severity | |
| CVE-2024-43455 | Home windows Distant Desktop Licensing Service Spoofing Vulnerability |
| CVE-2024-43461 | Home windows MSHTML Platform Spoofing Vulnerability |
| CVE-2024-43476 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Appendix B: Exploitability
This can be a listing of the September CVEs judged by Microsoft to be both beneath exploitation within the wild or extra more likely to be exploited within the wild inside the first 30 days post-release. The listing is organized by CVE. Within the case of CVE-2024-43491, the problem itself just isn’t recognized to be beneath lively exploit, however sure of the problems fastened by the rejected servicing-stack updates are, so we’re selecting to incorporate it on this listing. (Please see the “Notable September updates” part above for context.)
| Exploitation detected | |
| CVE-2024-38014 | Home windows Installer Elevation of Privilege Vulnerability |
| CVE-2024-38217 | Home windows Mark of the Internet Safety Characteristic Bypass Vulnerability |
| CVE-2024-38226 | Microsoft Writer Safety Options Bypass Vulnerability |
| CVE-2024-43491 | Microsoft Home windows Replace Distant Code Execution Vulnerability |
| Exploitation extra doubtless inside the subsequent 30 days | |
| CVE-2024-38018 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-38227 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-38228 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-38237 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38238 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38241 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38242 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38243 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38244 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38245 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38246 | Win32k Elevation of Privilege Vulnerability |
| CVE-2024-38247 | Home windows Graphics Element Elevation of Privilege Vulnerability |
| CVE-2024-38249 | Home windows Graphics Element Elevation of Privilege Vulnerability |
| CVE-2024-38252 | Home windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2024-38253 | Home windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2024-43457 | Home windows Setup and Deployment Elevation of Privilege Vulnerability |
| CVE-2024-43461 | Home windows MSHTML Platform Spoofing Vulnerability |
| CVE-2024-43464 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-43487 | Home windows Mark of the Internet Safety Characteristic Bypass Vulnerability |
Appendix C: Merchandise Affected
This can be a listing of September’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of occasions, as soon as for every product household.
Home windows (47 CVEs)
| Vital severity | |
| CVE-2024-38119 | Home windows Community Handle Translation (NAT) Distant Code Execution Vulnerability |
| CVE-2024-43491 | Microsoft Home windows Replace Distant Code Execution Vulnerability |
| Necessary severity | |
| CVE-2024-21416 | Home windows TCP/IP Distant Code Execution Vulnerability |
| CVE-2024-30073 | Home windows Safety Zone Mapping Safety Characteristic Bypass Vulnerability |
| CVE-2024-38014 | Home windows Installer Elevation of Privilege Vulnerability |
| CVE-2024-38045 | Home windows TCP/IP Distant Code Execution Vulnerability |
| CVE-2024-38046 | PowerShell Elevation of Privilege Vulnerability |
| CVE-2024-38217 | Home windows Mark of the Internet Safety Characteristic Bypass Vulnerability |
| CVE-2024-38230 | Home windows Requirements-Primarily based Storage Administration Service Denial of Service Vulnerability |
| CVE-2024-38231 | Home windows Distant Desktop Licensing Service Denial of Service Vulnerability |
| CVE-2024-38232 | Home windows Networking Denial of Service Vulnerability |
| CVE-2024-38233 | Home windows Networking Denial of Service Vulnerability |
| CVE-2024-38234 | Home windows Networking Denial of Service Vulnerability |
| CVE-2024-38235 | Home windows Hyper-V Denial of Service Vulnerability |
| CVE-2024-38236 | DHCP Server Service Denial of Service Vulnerability |
| CVE-2024-38237 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38238 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38239 | Home windows Kerberos Elevation of Privilege Vulnerability |
| CVE-2024-38240 | Home windows Distant Entry Connection Supervisor Elevation of Privilege Vulnerability |
| CVE-2024-38241 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38242 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38243 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38244 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38245 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability |
| CVE-2024-38246 | Win32k Elevation of Privilege Vulnerability |
| CVE-2024-38247 | Home windows Graphics Element Elevation of Privilege Vulnerability |
| CVE-2024-38248 | Home windows Storage Elevation of Privilege Vulnerability |
| CVE-2024-38249 | Home windows Graphics Element Elevation of Privilege Vulnerability |
| CVE-2024-38252 | Home windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2024-38253 | Home windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| CVE-2024-38254 | Home windows Authentication Info Disclosure Vulnerability |
| CVE-2024-38256 | Home windows Kernel-Mode Driver Info Disclosure Vulnerability |
| CVE-2024-38257 | Microsoft AllJoyn API Info Disclosure Vulnerability |
| CVE-2024-38258 | Home windows Distant Desktop Licensing Service Info Disclosure Vulnerability |
| CVE-2024-38259 | Microsoft Administration Console Distant Code Execution Vulnerability |
| CVE-2024-38260 | Home windows Distant Desktop Licensing Service Distant Code Execution Vulnerability |
| CVE-2024-38263 | Home windows Distant Desktop Licensing Service Distant Code Execution Vulnerability |
| CVE-2024-43454 | Home windows Distant Desktop Licensing Service Distant Code Execution Vulnerability |
| CVE-2024-43455 | Home windows Distant Desktop Licensing Service Spoofing Vulnerability |
| CVE-2024-43457 | Home windows Setup and Deployment Elevation of Privilege Vulnerability |
| CVE-2024-43458 | Home windows Networking Info Disclosure Vulnerability |
| CVE-2024-43461 | Home windows MSHTML Platform Spoofing Vulnerability |
| CVE-2024-43467 | Home windows Distant Desktop Licensing Service Distant Code Execution Vulnerability |
| CVE-2024-43475 | Microsoft Home windows Admin Middle Info Disclosure Vulnerability |
| CVE-2024-43495 | Home windows libarchive Distant Code Execution Vulnerability |
| Reasonable severity | |
| CVE-2024-43487 | Home windows Mark of the Internet Safety Characteristic Bypass Vulnerability |
SQL Server (13 CVEs)
| Necessary severity | |
| CVE-2024-26186 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-26191 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37335 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37337 | Microsoft SQL Server Native Scoring Info Disclosure Vulnerability |
| CVE-2024-37338 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37339 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37340 | Microsoft SQL Server Native Scoring Distant Code Execution Vulnerability |
| CVE-2024-37341 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| CVE-2024-37342 | Microsoft SQL Server Native Scoring Info Disclosure Vulnerability |
| CVE-2024-37965 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| CVE-2024-37966 | Microsoft SQL Server Native Scoring Info Disclosure Vulnerability |
| CVE-2024-37980 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| CVE-2024-43474 | Microsoft SQL Server Info Disclosure Vulnerability |
Azure (6 CVEs)
| Vital severity | |
| CVE-2024-38194 | Azure Internet Apps Elevation of Privilege Vulnerability |
| CVE-2024-38216 | Azure Stack Hub Elevation of Privilege Vulnerability |
| CVE-2024-38220 | Azure Stack Hub Elevation of Privilege Vulnerability |
| Necessary severity | |
| CVE-2024-38188 | Azure Community Watcher VM Agent Elevation of Privilege Vulnerability |
| CVE-2024-43469 | Azure CycleCloud Distant Code Execution Vulnerability |
| CVE-2024-43470 | Azure Community Watcher VM Agent Elevation of Privilege Vulnerability |
SharePoint (5 CVEs)
| Vital severity | |
| CVE-2024-38018 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-43464 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| Necessary severity | |
| CVE-2024-38227 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-38228 | Microsoft SharePoint Server Distant Code Execution Vulnerability |
| CVE-2024-43466 | Microsoft SharePoint Server Denial of Service Vulnerability |
Workplace (4 CVE)
| Necessary severity | |
| CVE-2024-38226 | Microsoft Writer Safety Options Bypass Vulnerability |
| CVE-2024-38250 | Home windows Graphics Element Elevation of Privilege Vulnerability |
| CVE-2024-43463 | Microsoft Workplace Visio Distant Code Execution Vulnerability |
| CVE-2024-43465 | Microsoft Excel Elevation of Privilege Vulnerability |
365 (2 CVE)
| Necessary severity | |
| CVE-2024-43463 | Microsoft Workplace Visio Distant Code Execution Vulnerability |
| CVE-2024-43465 | Microsoft Excel Elevation of Privilege Vulnerability |
Dynamics 365 (2 CVE)
| Necessary severity | |
| CVE-2024-38225 | Microsoft Dynamics 365 Enterprise Central Elevation of Privilege Vulnerability |
| CVE-2024-43476 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Microsoft AutoUpdate (MAU) for Mac (1 CVE)
| Necessary severity | |
| CVE-2024-43492 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability |
Outlook for iOS (1 CVE)
| Necessary severity | |
| CVE-2024-43482 | Microsoft Outlook for iOS Info Disclosure Vulnerability |
PowerBI (1 CVE)
| Necessary severity | |
| CVE-2024-43479 | Microsoft Energy Automate Desktop Distant Code Execution Vulnerability |
Visio (1 CVE)
| Necessary severity | |
| CVE-2024-43463 | Microsoft Workplace Visio Distant Code Execution Vulnerability |
Appendix D: Advisories and Different Merchandise
This can be a listing of advisories and data on different related CVEs within the September launch, sorted by product.
Related to Adobe (non-Microsoft launch) (3 CVEs)
| CVE-2024-41869 | APSB24-70 | Use After Free (CWE-416) |
| CVE-2024-41874 | APSB24-71 | Deserialization of Untrusted Knowledge (CWE-502) |
| CVE-2024-39420 | APSB24-70 | Time-of-check Time-of-use (TOCTOU) Race Situation (CWE-367) |