In September 2024, Adobe took the initiative to release eight security updates to address 28 vulnerabilities across various products. One of the critical patches was for ColdFusion, targeting a code execution flaw with a CVSS rating of 9.8. This release also included patches for critical vulnerabilities in popular Adobe products such as Photoshop, Illustrator, Premier Pro, After Effects, Audition, and Media Encoder.
The urgency of these updates was underscored by the potential for exploitation due to the critical nature of the vulnerabilities. Adobe made it clear that these updates should be deployed promptly to safeguard users and their systems from potential cyber threats.
On the other side, Microsoft also stepped up by releasing 79 new security patches for Windows and other Microsoft products in the same month. These patches included seven critical vulnerabilities, 71 important ones, and one moderate. What sets this month’s release apart is the active exploitation of many of these bugs, highlighting the critical importance of staying up-to-date with security patches.
One of the vulnerabilities discovered in Windows 10 systems, tagged as CVE-2024-43491, is particularly concerning. This vulnerability stems from a flaw in the Servicing Stack, enabling attackers to downgrade optional components and potentially execute malicious code. While not yet exploited in the wild, the vulnerability serves as a reminder of the crucial role security updates play in protecting systems.
Recent updates from Microsoft also addressed vulnerabilities in Microsoft Publisher and Windows, with issues such as CVE-2024-38226 and CVE-2024-38217 posing risks of code execution and ransomware exploitation. The severity of these vulnerabilities underlines the ongoing battle against cyber threats faced by both individual users and organizations.
The release also included patches for CVE-2024-38014, a vulnerability in Windows Installer that allows attackers to elevate their privileges without detection, and CVE-2024-43461, a spoofing vulnerability in the MSHTML platform exploited for code execution. With these vulnerabilities actively targeted in the wild, applying patches promptly is strongly recommended.
Microsoft’s critical patches extended beyond Windows to address vulnerabilities in key products like SharePoint, Azure Stack Hub, TCP/IP, Remote Desktop Licensing Service, SQL Server Native Scoring, Azure CycleCloud, and Power Automate Desktop. The vulnerabilities addressed in these products could result in code execution and privilege escalation, heightening the need for organizations to act swiftly in patching their systems.
According to ZDI, the September update specifically focused on mitigating risks associated with 30 Elevation of Privilege (EoP) bugs, two Security Feature Bypass (SFB) bugs, and 11 information disclosure bugs. Issues such as spoofing, denial-of-service (DoS) vulnerabilities were also addressed, with emphasis on safeguarding sensitive data and preventing potential security breaches.
The comprehensive nature of the September security updates underscores the ongoing battle against cyber threats and the critical role that timely patching plays in ensuring the security of systems and data. Organizations are strongly advised to stay vigilant and apply these patches promptly to mitigate the risks posed by these vulnerabilities.