On September 10, 2024, Microsoft released its Patch Tuesday updates, addressing a significant number of security vulnerabilities across its platforms. This latest update includes patches for a total of 79 flaws, among which seven are classified as Critical, 71 as Important, and one as Moderate. Notably, this update also resolves 26 additional vulnerabilities in Microsoft’s Chromium-based Edge browser, which were identified since the previous month’s release.
Among the vulnerabilities addressed are three that are currently being actively exploited. These include CVE-2024-38014, a Windows Installer Elevation of Privilege vulnerability with a CVSS score of 7.8; CVE-2024-38217, a Mark-of-the-Web (MotW) Security Feature Bypass vulnerability scoring 5.4; and CVE-2024-38226, a Microsoft Publisher Security Feature Bypass with a CVSS score of 7.3. Each of these vulnerabilities presents a significant security risk, particularly as they can be exploited to bypass critical security features designed to protect users from malicious activities.
Additionally, the update addresses CVE-2024-43491, a high-severity Remote Code Execution vulnerability related to Windows Update. This flaw, which has a CVSS score of 9.8, is noteworthy due to its similarity to a downgrade attack detailed by cybersecurity firm SafeBreach. Microsoft has indicated that while this vulnerability has been flagged due to its rollback of previous fixes, there is currently no evidence of active exploitation.
Microsoft advises users to promptly install the September 2024 Servicing Stack Update (SSU KB5043936) and the Windows security update (KB5043083) to mitigate these vulnerabilities. The company has emphasized that although no public exploitation of CVE-2024-43491 has been detected, the update is crucial for maintaining system security and integrity against these identified threats.
Reference:
