Vulnerability Management, Patch/Configuration Management

Microsoft fixes at least four zero-days in September Patch Tuesday

Microsoft logo on the website homepage.

Microsoft patched 79 bugs for administrators to install this month.

The latest addition of the Patch Tuesday release includes fixes for at least four zero-day flaws actively under exploit in the wild. Seven of the flaws are rated critical, a designation usually reserved for remote code exploits. The remaining 72 are almost entirely "important," a rating designation usually reserved for things like security bypass flaws or code execution requiring local access.

“The size of this release tracks with the volume we saw from Redmond last month,” said Dustin Childs of the Trend Micro Zero Day Initiative, but again, it’s unusual to see such a high number of bugs under active attack.”

According to experts, the top priorities for administrators should include CVE-2024-43491, a system downgrade vulnerability in Windows Update similar to the one discussed at last month’s Black Hat conference.

Childs said his ZDI team has found itself at odds with Microsoft in their classification of the bug as to being under active exploit, something Microsoft has denied.

“It’s also interesting to note that while this particular bug isn’t being exploited in the wild, it allowed some of those Optional Components to be exploited,” Childs explained.

“The only good news here is that only a portion of Windows 10 systems are affected.”

Also catching the eye of experts was CVE-2024-38226, a flaw in Microsoft Publisher that is under active attack. What stands out about the bug is the relative obscurity of the components being targeted.

“I’m always amazed by the ingenuity of attackers, be they red teamers or threat actors,” mused Childs.

“Who would have thought to exploit macros in Microsoft Publisher? I had forgotten all about that program.”

Other patches that should be prioritized for testing and deployment include the fixes for CVE-2024-38217, a security bypass bug in Winds Mark of the Web, CVE-2024-38014, an elevation of privilege bug in Windows Installer, and CVE-2024-43461 a spoofing flaw in Windows MSHTML. All are said to be under active attack in the wild.

While those zero-day flaws should raise the loudest alarms, admins should not sleep on any of the 70-plus remaining vulnerabilities addressed in the release. Hackers commonly refer to the day after Patch Tuesday as “Exploit Wednesday” due to number of new exploit code that gets released for the previously unknown vulnerabilities.

Adobe followed Microsoft with its own round of updates, though fortunately none of the vulnerabilities listed are thought to be under active attack. That update addresses a total of 28 new CVE entries, 10 of which are considered to be critical flaws.

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds