Microsoft Corp. released updates today to address a total of 79 security vulnerabilities in its Windows operating systems and related software. Among these vulnerabilities are several flaws that have been actively exploited in attacks. The company also fixed a critical bug that left some Windows 10 PCs at risk of being unpatched against known vulnerabilities for several months earlier this year.
One of the most notable security weaknesses disclosed by Microsoft today is known as CVE-2024-43491. This vulnerability led to the rolling back of fixes for certain vulnerabilities affecting optional components on specific Windows 10 systems manufactured in 2015. Users of Windows 10 systems that installed the monthly security update released in March 2024, or subsequent updates until August 2024, were affected by this issue.
According to Satnam Narang, a senior staff research engineer at Tenable, the label “exploitation detected” attached to CVE-2024-43491 does not necessarily indicate that cybercriminals are actively exploiting the vulnerability but rather that the fixes were rolled back, reintroducing previously exploited vulnerabilities. To address this issue, users are advised to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates.
Kev Breen, senior director of threat research at Immersive Labs, explained that the root cause of CVE-2024-43491 was the mishandling of build version numbers in the update service code on specific versions of Windows 10. As a result, some Windows 10 systems with optional components enabled were left vulnerable due to a code defect triggered by crossed build version numbers.
Two zero-day vulnerabilities were also addressed in the updates. CVE-2024-38226, affecting Microsoft Publisher, and CVE-2024-38217, a Mark of the Web bypass affecting Office, both require the target to open a malicious Office file to exploit the flaws. Rapid7 noted that exploit code for CVE-2024-38217 is publicly available, increasing the risk of exploitation.
Additionally, Microsoft mentioned CVE-2024-38014, an “elevation of privilege” bug in the Windows Installer, as being actively exploited. This bug allows attackers to gain elevated privileges on affected systems.
In a previous Microsoft Patch Tuesday release titled “Recall Edition,” Microsoft faced criticism over the Recall feature in its Copilot+ PCs, which captures screenshots of user activity. Despite initially suggesting Recall would be optional, Microsoft later clarified that disabling Recall was a bug in the preview version of Copilot+ and would not be available to Windows customers moving forward.
Adobe also released security updates for various products, including Reader, Acrobat, After Effects, Premiere Pro, Illustrator, ColdFusion, Adobe Audition, and Photoshop, addressing vulnerabilities in these software applications.
For a detailed breakdown of the patches released by Microsoft, users can refer to the SANS Internet Storm Center’s list. Additionally, administrators managing multiple systems should keep an eye on AskWoody.com for information on any problematic Windows patches.
If users encounter any issues while applying the latest patches, they are encouraged to share their experiences in the comments section. This comprehensive update from Microsoft underscores the ongoing importance of regularly patching systems to safeguard against potential security threats.