News
Microsoft Releases Nearly 80 Patches, Including 1 'Critical' Zero-Day
Microsoft's latest security patch update addresses 79 vulnerabilities, including four that are already being actively exploited in the wild.
One of these four zero-day exploits, CVE-2024-43491 -- a Windows Update remote code execution flaw targeting a nearly 10-year-old version of Windows -- is rated "critical." Per Microsoft's advisory, Windows 10 version 1507, which was first released in 2015 and is now unsupported, is susceptible to "a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components." It continued:
This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 --KB5035858 (OS Build 10240.20526) or other updates released until August 2024.
The other three zero-day fixes are rated "important." They are:
- CVE-2024-38226, a feature bypass vulnerability that can override Office macro settings meant to disarm harmful files.
- CVE-2024-38217, a feature bypass vulnerability that can fool a user into downloading a malicious server file, enabling an attacker to bypass the Mark of the Web identifier, which Microsoft uses to flag potentially unsecure files.
- CVE-2024-38014, an elevation-of-privilege vulnerability affecting Windows Installer that could grant an attacker system access.
Dustin Childs of the Zero Day Initiative blog identified a fifth vulnerability, CVE-2024-43461, that he says is "under active attack." Rated "important" by Microsoft, this flaw is a spoofing vulnerability that affects all supported versions of Windows via the Internet Explorer MSHTML platform. Microsoft had initially patched this flaw in July's security update, wrote Childs, but "threat actors quickly bypassed" that fix, leaving the vulnerability open to attack. However, Microsoft's official advisory says it is not currently being exploited.
"We're not sure why they don't list it as being under active attack, but you should treat it as though it were," Childs said.
Also of note are six other vulnerabilities labeled "critical." They are as follows:
Microsoft's full September security bulletin can be accessed here.