Microsoft issued security updates for 79 vulnerabilities on Patch Tuesday, including four that have been exploited in the wild and one that has been publically disclosed.
A total of seven critical flaws have been patched, all of which were remote code execution and elevation of privilege bugs.
Adam Barnett, Lead Software Engineer at Rapid7 told us a pre-auth RCE vulnerability tracked as CVE-2024-43491 with a 9.8 CVSS score is "the most concerning of today’s exploited-in-the-wild vulnerabilities."
It's a bug in Servicing Stack that rolls back fixes for earlier vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015).
Microsoft's Windows product team discovered CVE-2024-43491 and has "seen no evidence that it is publicly known" - even though it's been classified as having been exploited in the wild (more on this later).
"Things aren’t quite as bad as they seem: the key takeaway here is that only Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) is affected," Barnett added.
"All in all, while there are certainly more than a few organisations out there still running Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else."
Has CVE-2024-43491 been exploited in the wild?
Satnam Narang, senior staff research engineer at Tenable, explained the unusual classification of this CVE.
"It is labelled as 'Exploitation Detected' which implies that it was exploited in the wild," Narang said. "However, it appears to be labelled this way because the rollback of fixes reintroduced vulnerabilities in the Optional Components that were previously known to be exploited.
"To correct this issue, users need to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates."
Microsoft also patched two zero-day vulnerabilities that can bypass security features in Microsoft Office and Windows Mark of the Web (MOTW - an identifier used which highlights potentially unsafe downloads), both of which were exploited in the wild.
"Given the prevalence of Microsoft Office and Windows Mark of the Web, these vulnerabilities should be at the top of the remediation list," Narang added.
The first is CVE-2024-38226 (CVSS score 7.3), a Microsoft Publisher Security Feature Bypass Vulnerability, which impacts the Publisher application that is also included in some versions of Microsoft Office and is due to be discontinued in 2026.
"An attacker who successfully exploited this vulnerability could bypass Office macro policies used to block untrusted or malicious files," Microsoft wrote. "The attack itself is carried out locally by a user with authentication to the targeted system.
"An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer."
READ MORE: Microsoft's RAG Copilot can be tricked into leaking enterprise secrets, researchers claim
CVE-2024-38217 (CVSS 5.4) is a Windows Mark of the Web Security Feature Bypass Vulnerability that flags or blocks content from files downloaded from the internet.
Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, said: "This vulnerability allows an attacker to manipulate the security warnings that typically inform users about the risks of opening files from unknown or untrusted sources.
"Similar MoTW bypasses have historically been linked to ransomware attacks, where the stakes are high. Given the exploit's public disclosure and confirmed exploitation, it is a prime vector for cybercriminals to infiltrate corporate networks.
"Enterprises must prioritise patch management and educate users on the risks of downloading files from untrusted sources to mitigate the exploitation of such vulnerabilities."
The last exploited bug is CVE-2024-38226, a Microsoft Publisher Security Feature Bypass Vulnerability. he vulnerability affects Microsoft Office 2019 and 2021 as well as Publisher 2016. Microsoft has rated the CVE as Important and it has a CVSS v3.1 of 7.3.
"An attacker could exploit this vulnerability to bypass Office macro policies used to block untrusted or malicious files," explained Chris Goettl, Vice President of Security Product Management at Ivanti.
Join peers following The Stack on LinkedIn
