Microsoft has released a patch this week to address 79 vulnerabilities, four of which are already being actively exploited by attackers. Two of these vulnerabilities are zero-day bugs that allow attackers to bypass critical security protections in Windows. Organizations are urged to prioritize remediation of these bugs due to their severity.
The other two zero-day bugs are an elevation of privilege flaw that grants access to system-level privileges and a bug that reintroduces vulnerabilities in certain versions of Windows 10. Microsoft’s September update also included seven critical remote code execution (RCE) and elevation of privilege vulnerabilities. The company identified 19 of the vulnerabilities as more likely to be exploited by attackers due to various factors such as remote code execution, low attack complexity, no user interaction required, and wide product deployment.
One of the security bypass vulnerabilities, tracked as CVE-2024-38226, affects Microsoft Publisher. It allows an attacker with authenticated access to bypass Microsoft Office macros that block untrusted files. The other security bypass bug, CVE-2024-38217, impacts the Windows Mark of the Web feature, enabling attackers to bypass security checks and integrity features. Both vulnerabilities require convincing the target to open a specially crafted file from an attacker-controlled server.
The two other bugs being actively exploited are CVE-2024-38014, an elevation of privilege vulnerability in Windows Installer, and CVE-2024-43491, a high-severity RCE in Microsoft Windows Update. CVE-2024-43491 rolls back previous fixes issued by Microsoft, leaving certain versions of Windows 10 vulnerable since March.
Security researchers have also highlighted other high-priority bugs in Microsoft’s latest update, including CVE-2024-43461, a Windows spoofing vulnerability, CVE-2024-38018, a Microsoft SharePoint Server RCE, and CVE-2024-38241 and CVE-2024-38242, two elevation-of-privilege vulnerabilities in Kernel Streaming Service Driver.
With a total of 745 vulnerabilities disclosed this year, Microsoft has classified only 33 as critical. It is crucial for organizations to stay vigilant and prioritize patching to mitigate the risk of exploitation by malicious actors.