September Patch Tuesday addresses 79 CVEs – Sophos News

Microsoft on Tuesday launched 79 patches touching eleven product households. Seven of these points, affecting Azure, SharePoint, and Home windows, are thought of by Microsoft to be of important severity. At press time, three of the problems addressed are identified to be below exploit within the wild, with a fourth situation not itself below exploit, however intertwined with points which can be. (For particulars on this uncommon scenario, please see the “Notable September updates” part under.) Microsoft assesses that 11 CVEs, all in Home windows, are by the corporate’s estimation extra more likely to be exploited within the subsequent 30 days. Eight of this month’s points are amenable to detection by Sophos protections, and we embody info on these in a desk under.

Along with these patches, the discharge consists of advisory info on three CVEs addressed by patches from Adobe, affecting Reader and ColdFusion; one of many Reader vulnerabilities CVE-2024-41869) is a critical-severity use-after-free with a workable exploit already obtainable within the wild. We’re as at all times together with on the finish of this submit further appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

By the numbers

• Whole CVEs: 79
• Whole Adobe advisories coated in replace: 3
• Publicly disclosed: 1
• Exploited detected: 4*
• Severity
  • Important: 7
  • Vital: 71
  • Average: 1
• Influence
  • Elevation of privilege: 30
  • Distant code execution: 23
  • Info disclosure: 11
  • Denial of service: 8
  • Safety characteristic bypass: 4
  • Spoofing: 3
• CVSS base rating 9.0 or larger: 2
• CVSS base rating 8.0 or larger: 24

* For info on why we rely CVE-2024-43491 as this month’s fourth exploited-detected CVE regardless of the CVE itself not being detected as below exploit, please see the “Notable September updates” part under.

Determine 1: This month’s critical-severity patches embody one for which exploitation has already been detected, and two extra for which exploitation is extra possible inside the subsequent 30 days

Product households

• Home windows: 47
• SQL Server: 13
• Azure: 6
• SharePoint: 5
• Workplace: 4
• 365: 2
• Dynamics 365: 2
• Microsoft AutoUpdate (MAU) for Mac: 1
• Outlook for iOS: 1
• Energy BI: 1
• Visio: 1

As is our customized for this record, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on.

Determine 2: Although Home windows as standard leads the record of affected product households, a set of Native Scoring points in SQL Server contributed to that product taking 13 patches of its personal

Notable September updates

Along with the problems mentioned above, quite a lot of particular objects benefit consideration.

CVE-2024-38217 — Home windows Mark of the Net Safety Characteristic Bypass Vulnerability
CVE-2024-43492 — Home windows Mark of the Net Safety Characteristic Bypass Vulnerability

There are patches for 2 Mark of the Net vulnerabilities this month, and each are both at present below energetic exploit within the wild (CVE-2024-38217) or judged by Microsoft as extra more likely to be exploited inside the subsequent 30 days (CVE-2024-43492). The latter bug was discovered in-house at Microsoft and is taken into account to be of average severity. The previous, nevertheless, was disclosed responsibly by Elastic Safety’s Joe Desimone, who has posted in regards to the discovery and the reporting course of, and which can be of curiosity to those that comply with points round code-signing certificates. The bug impacts all variations of Home windows together with Win 11H24 and is of essential severity.

CVE-2024-38014 — Home windows Installer Elevation of Privilege Vulnerability

This situation is below energetic exploit within the wild. It impacts all variations of Home windows together with Win 11H24.

CVE-2024-43491 – Microsoft Home windows Replace Distant Code Execution Vulnerability

The excellent news is that this situation impacts solely sure operational elements of Home windows 10, model 1507 (first launched in July 2015); solely two variations of that construct, Home windows 10 Enterprise 2015 LTSB and Home windows 10 IoT Enterprise 2015 LTSB, are nonetheless below assist. The dangerous information, for these nonetheless operating both of these variations, is that critical-severity distant code execution situation, which carries a 9.8 CVE base rating, happens in… the Home windows Servicing Stack. It’s an enchanting situation for individuals who care about such issues — moderately than a coding error per se, Microsoft explains that the construct model numbers themselves “crossed into a spread that triggered a code defect within the Home windows 10 (model 1507) servicing stack that handles the applicability of Non-obligatory Parts. Consequently, any Non-obligatory Element that was serviced with updates launched since March 12, 2024 (KB5035858) was detected as “not relevant” by the servicing stack and was reverted to its RTM model.” If this situation is relevant to your property, it is strongly recommended that you just carefully learn and comply with the data Microsoft supplies in KB5043083, because the patch sequence one should comply with is exact. That web page additionally features a record of the particular elective elements affected, which can assist make clear your publicity.

[29 CVEs] — Home windows 11 24H2 patches

Despite the fact that Home windows 11 24H2 is just not but on the whole launch, simply over a 3rd of this month’s patches have an effect on that platform, together with two (CVE-2024-38014, CVE-2024-38217) for which exploitation has already been detected within the wild. Customers of the brand new Copilot+ PCs who don’t ingest their patches robotically ought to make sure to replace their units.

[0 CVEs] — .NET, Visible Studio, Edge / Chromium, non-iOS Outlook

A uncommon month of respite for .NET and Visible Studio, with no patches launched for these households. Nor are there any this time round associated to Edge, or to Outlook for platforms aside from Apple’s.

Determine 3: Regardless of the predominance of EoP points in current months, RCE continues to guide the pack as we attain the three-quarter mark for 2024.

Sophos protections

As you’ll be able to each month, for those who don’t wish to wait in your system to tug down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace bundle in your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

It is a record of September patches sorted by impression, then sub-sorted by severity. Every record is additional organized by CVE.

Elevation of Privilege (30 CVEs)

Distant Code Execution (23 CVEs)

Info Disclosure (11 CVEs)

Denial of Service (8 CVEs)

Safety Characteristic Bypass (4 CVEs)

Spoofing (3 CVEs)

Appendix B: Exploitability

It is a record of the September CVEs judged by Microsoft to be both below exploitation within the wild or extra more likely to be exploited within the wild inside the first 30 days post-release. The record is organized by CVE. Within the case of CVE-2024-43491, the problem itself is just not identified to be below energetic exploit, however sure of the problems fastened by the rejected servicing-stack updates are, so we’re selecting to incorporate it on this record. (Please see the “Notable September updates” part above for context.)

Appendix C: Merchandise Affected

It is a record of September’s patches sorted by product household, then sub-sorted by severity. Every record is additional organized by CVE. Patches which can be shared amongst a number of product households are listed a number of instances, as soon as for every product household.

Home windows (47 CVEs)

SQL Server (13 CVEs)

Azure (6 CVEs)

SharePoint (5 CVEs)

Workplace (4 CVE)

365 (2 CVE)

Dynamics 365 (2 CVE)

Microsoft AutoUpdate (MAU) for Mac (1 CVE)

Outlook for iOS (1 CVE)

PowerBI (1 CVE)

Visio (1 CVE)

Appendix D: Advisories and Different Merchandise

It is a record of advisories and knowledge on different related CVEs within the September launch, sorted by product.

Related to Adobe (non-Microsoft launch) (3 CVEs)