Critical Windows vulnerabilities exploited: CISA urges users to update


Microsoft's September 2024 Patch fixes 79 flaws, with at least four exploited in the wild. One remote code execution vulnerability, with a severity score of 9.8 out of 10, enables a “total loss of confidentiality,” divulging resources to the attacker.

The US Cybersecurity and Security Infrastructure Agency (CISA) includes four of these vulnerabilities in its known exploited vulnerabilities catalog and leaves three weeks for governmental organizations to apply mitigations, due October 1st.

“A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system,” CISA warns.

ADVERTISEMENT

The vulnerability in the Servicing Stack, labeled as CVE-2024-4349, is concerning as it allows remote unprivileged malicious attackers, with relative ease, to fully deny access to legitimate users and gain restricted information on impacted systems.

“The vulnerable system can be exploited without any interaction from any user,” a Microsoft advisory reads. “Functional exploit code is available. The code works in most situations where the vulnerability exists.”

Microsoft explains that an attacker could exploit previously mitigated vulnerabilities on systems that have installed the Windows security update released on March 12th, 2024, as it has rolled back some previous fixes.

However, the affected supported systems only include version 1507 of Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB. The version 1507 was initially released in July 2015.

Unpatched Microsoft Windows Installer contains another flaw, a privilege escalation vulnerability labeled CVE-2024-38014, that could allow an attacker to gain SYSTEM privileges. To exploit it, an attacker would need user privileges, that could be acquired by tricking a legitimate user into opening a malicious document.

CISA also included the Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability, which can result in a limited loss of integrity and availability of security features. MOTW is designed to protect users from potentially unsafe downloads from the internet.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt,” Microsoft said.

The fourth highlighted vulnerability affects the Microsoft Publisher Security Feature, which allows attackers to bypass Office macro policies used to block untrusted or malicious files.

ADVERTISEMENT

The full list of September 2024 Security Updates can be found here.

“CISA encourages users and administrators to review the following and apply necessary updates,” the alert reads.