September 2024 Microsoft Patch Tuesday: Addressing 74 Vulnerabilities Including 4 Weaponised Threats
This month, Microsoft has delivered a substantial update, addressing 74 vulnerabilities. Notably, several of these vulnerabilities have been weaponized, with some carrying a critical CVSS score of 9.8. The update includes 4 critical patches, 69 important fixes, and one moderate update, covering products such as Windows, Windows Components, Office, Visual Studio, SQL Server and Windows Update.
Robert Brown, Head of Customer Success at Syxsense, underscores the need for strategic prioritization in vulnerability management. He draws attention to the presence of threats that could potentially serve as Jump Points, urging organizations to maintain heightened vigilance. With a combined CVSS score of 566.9 for August and an average score of 7.7, the critical nature of these vulnerabilities demands focused and careful remediation efforts.
Based on Vendor Severity and CVSS Scores, we recommend integrating the provided CVE numbers into your Patch Management solution. Once thorough testing is complete, deployment should proceed without delay.
- CVE-2024-38217 – Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2024-38217 is a vulnerability in the Windows Mark of the Web (MOTW) security feature that allows an attacker to bypass critical security checks. By crafting a malicious file, an attacker can evade MOTW defences, compromising security measures like SmartScreen Application Reputation checks and the legacy Windows Attachment Services prompt. This bypass could result in a limited but impactful loss of integrity and availability of security features, potentially allowing malicious files to run without the usual warnings.
Syxscore:
- Vendor Severity: Important
- CVSS: 5.4
- Weaponised: Yes
- Public Awareness: Yes
- Countermeasure: No
Risk Factors:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope / Jump Point: Unchanged / No
CVE-2024-38217 represents a significant concern because it directly undermines the trust mechanisms in Windows that help prevent malicious files from being executed. The combination of low attack complexity and the need for user interaction makes it easier for attackers to exploit this vulnerability, especially through phishing or other social engineering tactics. Given that the vulnerability has been weaponized and publicly disclosed, organizations should prioritize educating users about the risks and consider temporary mitigations until a formal patch is applied.
2. CVE-2024-43491 – Microsoft Windows Update Remote Code Execution Vulnerability
CVE-2024-43491 is a critical vulnerability in the Microsoft Windows Servicing Stack that affects Windows 10, version 1507 (initially released in July 2015). This flaw has resulted in the rollback of fixes for certain vulnerabilities affecting Optional Components, thereby reopening previously mitigated security gaps on Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB systems. Notably, only the versions impacted are those that installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates until August 2024. All later versions of Windows 10 remain unaffected.
This vulnerability allows an attacker to exploit these re-opened vulnerabilities, potentially leading to remote code execution on affected systems. Mitigation requires the September 2024 Servicing Stack Update (SSU KB5043936) followed by the September 2024 Windows security update (KB5043083).
Syxscore:
- Vendor Severity: Critical
- CVSS: 9.8
- Weaponised: Yes
- Public Awareness: No
- Countermeasure: No
Risk Factors:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope / Jump Point: Unchanged / No
CVE-2024-43491 poses a severe risk due to its critical nature and potential for exploitation, especially as it has been weaponized. The low attack complexity and lack of required privileges or user interaction make this vulnerability particularly dangerous, enabling attackers to execute remote code without significant barriers. Organizations still using Windows 10, version 1507, should urgently apply the September 2024 updates in the specified order to mitigate this threat. Failure to do so leaves systems vulnerable to remote code execution attacks, compromising security and potentially exposing sensitive data.
3. CVE-2024-38014 – Windows Installer Elevation of Privilege Vulnerability
CVE-2024-38014 is an elevation of privilege vulnerability in Windows Installer. This vulnerability allows an attacker to gain SYSTEM privileges, which is one of the highest levels of access on a Windows system. SYSTEM privileges give attackers complete control over the affected device, including the ability to install programs, view, change, or delete data, and create new accounts with full user rights.
Exploitation of this vulnerability requires local access to the target system, but with a low attack complexity and minimal privileges required, it remains a serious risk, especially in environments where attackers could already have limited access to a system.
Syxscore:
- Vendor Severity: Important
- CVSS: 7.8
- Weaponised: Yes
- Public Awareness: No
- Countermeasure: No
Risk Factors:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope / Jump Point: Unchanged / No
CVE-2024-38014 is a significant threat due to its ability to escalate privileges to SYSTEM level, giving attackers unrestricted access to the targeted system. The vulnerability is already weaponized, increasing the urgency for organizations to prioritize its mitigation. Although it requires local access, the low complexity and low privilege requirements make it relatively easy to exploit once an attacker gains a foothold. Without any available countermeasures, immediate patching is crucial to protect systems from unauthorized access and potential compromise. Organizations should remain vigilant, ensure all endpoints are updated promptly, and restrict local access to trusted users only.
| Reference | Description | Additional Details | Severity | CVSS Score | Weaponised | Publicly Aware | Countermeasure | Impact | Exploitability Assessment |
| CVE-2024-38217 | Windows Mark of the Web Security Feature Bypass Vulnerability | An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt. | Important | 5.4 | Yes | Yes | None | Security Feature Bypass | Exploitation Detected |
| CVE-2024-43491 | Microsoft Windows Update Remote Code Execution Vulnerability | Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. |
Critical | 9.8 | Yes | No | None | Remote Code Execution | Exploitation Detected |
| CVE-2024-38014 | Windows Installer Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | Yes | No | None | Elevation of Privilege | Exploitation Detected |
| CVE-2024-38226 | Microsoft Publisher Security Features Bypass Vulnerability | An attacker who successfully exploited this vulnerability could bypass Office macro policies used to block untrusted or malicious files. The Preview Pane is not an attack vector. | Important | 7.3 | Yes | No | None | Security Feature Bypass | Exploitation Detected |
| CVE-2024-38018 | Microsoft SharePoint Server Remote Code Execution Vulnerability | In a network-based attack, an authenticated attacker, who has a minimum of Site Member permissions (PR:L), could execute code remotely on the SharePoint Server. | Critical | 8.8 | No | No | None | Remote Code Execution | Exploitation More Likely |
| CVE-2024-26186 | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | Important | 8.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-26191 | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | Important | 8.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-37335 | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | Important | 8.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-37338 | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | Important | 8.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-37339 | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | Important | 8.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-37340 | Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability | Important | 8.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-37341 | Microsoft SQL Server Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain administrator privileges. | Important | 8.8 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-37965 | Microsoft SQL Server Elevation of Privilege Vulnerability | Important | 8.8 | No | No | None | Elevation of Privilege | Exploitation Less Likely | |
| CVE-2024-37980 | Microsoft SQL Server Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain administrator privileges. | Important | 8.8 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-38225 | Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain administrator privileges. | Important | 8.8 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-38259 | Microsoft Management Console Remote Code Execution Vulnerability | Important | 8.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-38260 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | Important | 8.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-43455 | Windows Remote Desktop Licensing Service Spoofing Vulnerability | To successfully exploit this vulnerability an attacker must send specially crafted requests to the Terminal Server Licensing Service, which must be running and accessible over the network. | Important | 8.8 | No | No | None | Spoofing | Exploitation Less Likely |
| CVE-2024-43461 | Windows MSHTML Platform Spoofing Vulnerability | Important | 8.8 | No | No | None | Spoofing | Exploitation More Likely | |
| CVE-2024-43479 | Microsoft Power Automate Desktop Remote Code Execution Vulnerability | Scope = Changed, Jump Point = True An attacker who successfully exploited this vulnerability could remotely execute arbitrary Desktop Flows script in an active open Windows session of the target user. |
Important | 8.5 | No | No | None | Remote Code Execution | Exploitation Less Likely |
| CVE-2024-21416 | Windows TCP/IP Remote Code Execution Vulnerability | Important | 8.1 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-38045 | Windows TCP/IP Remote Code Execution Vulnerability | Important | 8.1 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-38240 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | Important | 8.1 | No | No | None | Elevation of Privilege | Exploitation Less Likely | |
| CVE-2024-30073 | Windows Security Zone Mapping Security Feature Bypass Vulnerability | Important | 7.8 | No | No | None | Security Feature Bypass | Exploitation Less Likely | |
| CVE-2024-38046 | PowerShell Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could elevate their user privileges from those of a restrained user to an unrestrained WDAC user. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-38237 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38238 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38241 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38242 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38243 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38244 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38245 | Kernel Streaming Service Driver Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38247 | Windows Graphics Component Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38249 | Windows Graphics Component Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38250 | Windows Graphics Component Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-38252 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38253 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-43457 | Windows Setup and Deployment Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-43463 | Microsoft Office Visio Remote Code Execution Vulnerability | Important | 7.8 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-43465 | Microsoft Excel Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The Preview Pane is not an attack vector. |
Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-43492 | Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability | An attacker who successfully exploits this vulnerability could elevate their privileges to perform commands as Root in the target environment. | Important | 7.8 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-43458 | Windows Networking Information Disclosure Vulnerability | Scope = Changed, Jump Point = True Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. |
Important | 7.7 | No | No | None | Information Disclosure | Exploitation Less Likely |
| CVE-2024-43474 | Microsoft SQL Server Information Disclosure Vulnerability | An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. | Important | 7.6 | No | No | None | Information Disclosure | Exploitation Less Likely |
| CVE-2024-43476 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Scope = Changed, Jump Point = True The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. |
Important | 7.6 | No | No | None | Spoofing | Exploitation Less Likely |
| CVE-2024-38119 | Windows Network Address Translation (NAT) Remote Code Execution Vulnerability | Critical | 7.5 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-38232 | Windows Networking Denial of Service Vulnerability | Important | 7.5 | No | No | None | Denial of Service | Exploitation Less Likely | |
| CVE-2024-38233 | Windows Networking Denial of Service Vulnerability | Important | 7.5 | No | No | None | Denial of Service | Exploitation Less Likely | |
| CVE-2024-38236 | DHCP Server Service Denial of Service Vulnerability | Important | 7.5 | No | No | None | Denial of Service | Exploitation Less Likely | |
| CVE-2024-38257 | Microsoft AllJoyn API Information Disclosure Vulnerability | Important | 7.5 | No | No | None | Information Disclosure | Exploitation Less Likely | |
| CVE-2024-38263 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | Important | 7.5 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-43467 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | Important | 7.5 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-43475 | Microsoft Windows Admin Center Information Disclosure Vulnerability | Important | 7.3 | No | No | None | Information Disclosure | Exploitation Less Likely | |
| CVE-2024-43495 | Windows libarchive Remote Code Execution Vulnerability | Important | 7.3 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-43464 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical | 7.2 | No | No | None | Remote Code Execution | Exploitation More Likely | |
| CVE-2024-38227 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 7.2 | No | No | None | Remote Code Execution | Exploitation More Likely | |
| CVE-2024-38228 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 7.2 | No | No | None | Remote Code Execution | Exploitation More Likely | |
| CVE-2024-38239 | Windows Kerberos Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain domain administrator privileges. | Important | 7.2 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-37337 | Microsoft SQL Server Native Scoring Information Disclosure Vulnerability | Important | 7.1 | No | No | None | Information Disclosure | Exploitation Less Likely | |
| CVE-2024-37342 | Microsoft SQL Server Native Scoring Information Disclosure Vulnerability | An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. | Important | 7.1 | No | No | None | Information Disclosure | Exploitation Less Likely |
| CVE-2024-37966 | Microsoft SQL Server Native Scoring Information Disclosure Vulnerability | An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. | Important | 7.1 | No | No | None | Information Disclosure | Exploitation Less Likely |
| CVE-2024-38188 | Azure Network Watcher VM Agent Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could create, modify, or delete files in the security context of the NT AUTHORITY\SYSTEM account. | Important | 7.1 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-43454 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | Important | 7.1 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-38246 | Win32k Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.0 | No | No | None | Elevation of Privilege | Exploitation More Likely |
| CVE-2024-38248 | Windows Storage Elevation of Privilege Vulnerability | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Important | 7.0 | No | No | None | Elevation of Privilege | Exploitation Less Likely |
| CVE-2024-38230 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability | Important | 6.5 | No | No | None | Denial of Service | Exploitation Less Likely | |
| CVE-2024-38231 | Windows Remote Desktop Licensing Service Denial of Service Vulnerability | Important | 6.5 | No | No | None | Remote Code Execution | Exploitation Less Likely | |
| CVE-2024-38234 | Windows Networking Denial of Service Vulnerability | Important | 6.5 | No | No | None | Denial of Service | Exploitation Less Likely | |
| CVE-2024-38235 | Windows Hyper-V Denial of Service Vulnerability | Scope = Changed, Jump Point = True Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. |
Important | 6.5 | No | No | None | Denial of Service | Exploitation Less Likely |
| CVE-2024-38258 | Windows Remote Desktop Licensing Service Information Disclosure Vulnerability | The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. | Important | 6.5 | No | No | None | Information Disclosure | Exploitation Less Likely |
| CVE-2024-43466 | Microsoft SharePoint Server Denial of Service Vulnerability | Important | 6.5 | No | No | None | Denial of Service | Exploitation Less Likely | |
| CVE-2024-43482 | Microsoft Outlook for iOS Information Disclosure Vulnerability | Important | 6.5 | No | No | None | Information Disclosure | Exploitation Less Likely | |
| CVE-2024-43487 | Windows Mark of the Web Security Feature Bypass Vulnerability | An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. | Moderate | 6.5 | No | No | None | Security Feature Bypass | Exploitation More Likely |
| CVE-2024-38256 | Windows Kernel-Mode Driver Information Disclosure Vulnerability | An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. | Important | 5.6 | No | No | None | Information Disclosure | Exploitation Less Likely |
| CVE-2024-38254 | Windows Authentication Information Disclosure Vulnerability | An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. | Important | 5.5 | No | No | None | Information Disclosure | Exploitation Less Likely |
Do you need help keeping up patches? Syxsense’s automated patch management capabilities helps enterprises patch faster and more accurately. Schedule a consultation with us to learn how we can help you.
