Attackers are already actively exploiting 4 of the 79 vulnerabilities for which Microsoft issued a patch this week as a part of its month-to-month safety replace.
Two of the zero-day bugs give attackers a technique to bypass important safety protections in Home windows and due to this fact must be on the prime of any group’s precedence listing for remediation.
One of many remaining zero-days is an elevation of privilege flaw that permits entry to system-level privileges; the opposite is a bug that rolled again, or reintroduced, vulnerabilities in sure variations of Home windows 10 for which Microsoft had beforehand issued patches.
In whole, Microsoft’s September replace contained seven important distant code execution (RCE) and elevation of privilege vulnerabilities. The corporate assessed 19 of the CVEs in its newest updates as vulnerabilities that attackers usually tend to exploit as a result of they permit distant code execution, contain assaults which are low in complexity, require no person interplay, and exist in broadly deployed merchandise, in addition to different elements.
Safety Bypass Zero-Days
One of many safety bypass vulnerabilities, tracked as CVE-2024-38226, impacts Microsoft Writer. It permits an attacker with authenticated entry to a system to bypass Microsoft Workplace macros for blocking untrusted and malicious information. “An authenticated attacker may exploit the vulnerability by convincing a sufferer, by social engineering, to obtain and open a specifically crafted file from a web site which may result in an area assault on the sufferer pc,” Microsoft mentioned. The corporate gave the vulnerability a average CVSS severity rating of 6.8 of 10, presumably as a result of an attacker would want to persuade a person to open a malicious file to ensure that any exploit to work.
The opposite safety bypass zero-day bug in Microsoft’s September replace is CVE-2024-38217, within the Home windows Mark of the Internet (MoTW) characteristic that’s designed to guard customers towards doubtlessly dangerous information and content material downloaded from the Internet. The vulnerability permits an attacker to sneak malicious information previous MoTW defenses and trigger what Microsoft described as “restricted loss” of integrity and availability of software status checks and different security measures. Microsoft assigned CVE-2024-38217 a severity ranking of 5 as a result of to use it an attacker would want to persuade potential victims to go to an attacker-controlled web site after which obtain a malicious file from there.
“Exploitation of each CVE-2024-38226 and CVE-2024-38217 can result in the bypass of essential security measures that block Microsoft Workplace macros from working,” Satnam Narang, senior employees analysis engineer at Tenable, mentioned in an announcement. “In each instances, the goal must be satisfied to open a specifically crafted file from an attacker-controlled server. The place they differ is that an attacker would have to be authenticated to the system and have native entry to it to use CVE-2024-38226,” he mentioned.
RCE and Privilege Escalation Zero-Days
The 2 different bugs in Microsoft’s newest replace that attackers are already actively exploiting are CVE-2024-38014 and CVE-2024-43491. CVE-2024-38014 is an elevation of privilege vulnerability in Home windows Installer that attackers can use to realize system-level privileges. As with the opposite zero-days, Microsoft’s advisory supplied no particulars on the exploit exercise focusing on the bug or when it may need began. Regardless of the continued assaults focusing on CVE-2024-38014, Microsoft assessed the flaw as solely reasonably extreme (7.8 on 10 on the CVSS scale) as a result of an attacker would already must have compromised an affected system to use the vulnerability.
CVE-2024-43491, in the meantime, is a high-severity (CVSS rating 8.5) RCE in Microsoft Home windows Replace. The vulnerability rolls again fixes that Microsoft issued in March for sure variations of Home windows 10. In keeping with Microsoft, the vulnerability offers attackers a technique to exploit vulnerabilities that Microsoft beforehand mitigated in Home windows 10, model 1507, between March and August. “Clients want to put in each the servicing stack replace (KB5043936) AND safety replace (KB5043083), launched on September 10, 2024, to be absolutely protected against the vulnerabilities that this CVE rolled again,” Microsoft mentioned.
Kev Breen, senior director of menace analysis at Immersive Lab, advocated that directors pay shut consideration to Microsoft’s Official Notes for CVE-2024-43491. “There are plenty of caveats to this one,” Breen mentioned in emailed feedback. “The brief model is that some variations of Home windows 10 with non-obligatory elements enabled was left in a susceptible state,” since March.
That is the second month in a row the place Microsoft has given directors a number of zero-days to take care of. In August, the corporate disclosed six of them — equal to the whole for your entire 12 months as much as that time.
Different Excessive-Precedence Bugs
Different bugs of observe within the newest replace in keeping with safety researchers embody CVE-2024-43461, a Home windows spoofing vulnerability; CVE-2024-38018, a Microsoft SharePoint Server RCE; and CVE-2024-38241 and CVE-2024-38242, two elevation-of-privilege vulnerabilities in Kernel Streaming Service Driver.
CVE-2024-43461 impacts all supported variations of Microsoft Home windows. It’s much like CVE-2024-38112, a zero-day bug that Microsoft patched in July after at the very least two menace teams had been exploiting it for 18 months. Attackers may leverage the exploits for CVE-2024-38112 in assaults towards the brand new CVE-2024-43416, in keeping with Saeed Abbasi, supervisor of vulnerability analysis at Qualys. “There exists a excessive chance of exploitation, as this vulnerability allows attackers to spoof legit internet content material, resulting in unauthorized actions akin to phishing and information theft,” Abbasi mentioned in emailed feedback.
Organizations must prioritize patching the Microsoft SharePoint Server RCE vulnerability (CVE-2024-38018) as a result of no mitigations or workarounds can be found for it, mentioned Tom Bowyer, director IT safety of Automox, in emailed feedback. “The potential affect of this CVE is critical, particularly given the business-critical nature SharePoint servers play in organizations that make the most of them,” and the benefit of exploitation.
Ben McCarthy, lead cybersecurity engineer at Immersive Labs, recognized the Kernel Streaming Service Driver flaws (CVE-2024-38241 and CE-2024-38242) as essential to deal with as a result of they’re current on the kernel stage and provides attackers a technique to bypass safety controls, escalate privileges, execute arbitrary code, and take over the entire system.
To this point this 12 months, Microsoft has disclosed a complete of 745 vulnerabilities throughout its merchandise, in keeping with numbers maintained by Automox. Microsoft has recognized simply 33 of them as important.