Today, we get four vulnerabilities that have seen active exploitation, one of which has also been publicly disclosed. These are the vulnerabilities that admins should focus on patching this week. They include an elevation of privilege in the Windows Install (CVE-2024-38014), a security feature bypass in the Windows Mark of the Web (CVE-2024-38217), a security feature bypass in Microsoft Publisher (CVE-2024-38226), and a code execution vulnerability in Microsoft Windows Update (CVE-2024-43491).
What I found most interesting is that only one of these vulnerabilities has a high CVSS score (9.8) and was rated critical by Microsoft, CVE-2024-43491. The high score combined with the indication that exploitation had been detected would be enough for me to typically recommend putting this at the top of the list of patches to install. This vulnerability, however, is a bit more nuanced once you read the FAQ. Microsoft indicates that they are not aware of any evidence that the vulnerability is publicly known. They also indicate that there’s no evidence that the vulnerability itself has been exploited. In fact, the vulnerability only impacts Windows 10 Enterprise 2015 LTSB and only when one or more of a series of optional components are installed. This is one where organizations really need to pay attention to the details to determine if they are impacted and, if they are, they’ll need to pay close attention to the special patching instructions related to this update – the servicing stack update and the security update need to both be installed. It is also critical that the servicing stack update be installed before the Microsoft security update.
One thing that stood out from me is that other than the Windows Update vulnerability, there’s only one other vulnerability with a CVSS score in the 9.x range, CVE-2024-38220, an elevation of privilege vulnerability in Azure Stack hub. While Microsoft has rated this as ‘Exploitation Less Likely’, the nature of the vulnerability caught my attention, which is why FAQs are so valuable in Microsoft’s update guidance. The attacker must be authenticated, and the victim must initiate a connection, but when that is successfully accomplished, the attacker could potentially interact with other tenants. Given that the update time for this update is essentially measured in days instead of minutes or hours, let’s hope that everyone takes the time to update, even if Microsoft doesn’t feel exploitation is all that likely.
It is worth mentioning the plethora of SQL Server updates available this month. With 13 of this month’s 79 CVEs applying to SQL Server, over 15% of the vulnerabilities this month are resolved by applying these updates. It is important to note that the updates are not uniform across the 13 CVEs, so don’t simply look at one CVE and assume that you are safe. Additionally, Microsoft notes that if you develop your own applications that it is important that you update your application to utilize version 18 or 19 of the OLE DB Driver.
Click here for more Patch Tuesday analysis.
Request a Fortra® Demo
From reconnaissance through achieving objectives, Fortra® interrupts attackers at every step of the attack chain.
