Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: MICROSOFT PATCH TUESDAY SEPTEMBER 2024 PATCHES 79 VULNERABILITIES (INCLUDING 4 ZERO-DAYS AND 7 CRITICAL); PATCH IMMEDIATELY!
Image
Published : 12/09/2024
Reference:
Advisory #2024-220
Version:
1.1
Affected software:
For a detailed overview of affected products & technologies, please consult https://msrc.microsoft.com/update-guide/releaseNote/2024-sep
Type:
Several types, varying from Information Disclosure to Remote Code Execution and Privilege Escalation.
CVE/CVSS:
Microsoft addressed 79 vulnerabilities in its September 2024 Patch Tuesday update, with 7 classified as critical, 71 as important, and 1 as moderate. The update also included fixes for 4 actively exploited zero-day vulnerabilities.Number of CVEs by type:
- 23 Remote Code Execution vulnerabilities
- 30 Elevation of Privilege vulnerabilities
- 11 Information Disclosure vulnerabilities
- 3 Spoofing vulnerability
- 8 Denial of Service vulnerabilities
- 4 Security Feature Bypass vulnerabilities
Sources
https://msrc.microsoft.com/update-guide/releaseNote/2024-sep
Risks
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called "Patch Tuesday" and contain security fixes for Microsoft devices and software.
Microsoft's September 2024 Patch Tuesday includes 79 vulnerabilities (7 critical, 71 important, 1 moderate and 0 low) for a wide range of Microsoft products, impacting Microsoft Servers and Workstations. This Patch Tuesday release includes 4 zero-day vulnerabilities for which Microsoft has detected active exploitation. Immediate patching is strongly recommended, as several other vulnerabilities will likely be exploited soon.
Description
CVE-2024-43491: Windows Installer (Critical)
Remote Code Execution Vulnerability. A critical vulnerability with a score of 9.8 in the Microsoft Servicing Stack has undone fixes for previously mitigated issues on Optional Components on Windows 10 version 1507. An attacker could exploit these previously mitigated vulnerabilities. It enables them to perform remote code execution without user interaction, potentially leading to complete system compromise
Only Windows 10 (version 1507) (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) with some Optional Components enabled are vulnerable. All other versions of Windows 10 released since November 2015 are not affected.
Microsoft's security team discovered this vulnerability and claims to have no evidence that it is publicly known.
Resolve This servicing stack vulnerability by installing the September 2024 Servicing Stack Update (SSU KB5043936) and the September 2024 Windows Security Update (KB5043083) in that specific order.
CVE-2024-38226: Microsoft Publisher (High)
Security Feature Bypass Vulnerability. An attacker exploiting this vulnerability could bypass Office macro policies that block untrusted or malicious files. Through social engineering, an attacker could trick a victim into downloading and opening a specially crafted file, triggering a local attack.
If successful, this vulnerability would allow an attacker to bypass security measures in Microsoft Publisher, potentially gaining unauthorized access to sensitive data, altering information, or disrupting system availability. Due to the high impact, this could result in a significant security breach.
CVE-2024-38217: Windows Mark of the Web (Medium)
Security Feature Bypass Vulnerability. The vulnerability enables attackers to bypass the Mark of the Web (MOTW) protections, a security feature that flags files from the internet for additional checks. By evading these checks, attackers can run malicious code on the victim's system with little resistance, increasing the risk of social engineering attacks as users may mistakenly trust harmful files.
According to some reports, active exploitation of CVE-2024-38217 has occurred since 2018. Regardless, the MOTW security feature has been bypassed repeatedly over the years, making it a prime target for threat actors in phishing attacks. The CCB recommends prompt patching.
CVE-2024-38014: Windows Installer (High)
Elevation of Privilege Vulnerability. An attacker with low privileges could exploit this vulnerability without user interaction. Due to the critical role of Windows Installer, this could affect almost any organization. Successful exploitation grants system-level privileges, enabling complete control over the system, including installing software, altering files, and turning off security. The severity lies in potential confidentiality, integrity, and availability breaches, allowing unauthorized access to sensitive data and disruption of system operations. Microsoft noted active exploitation of this vulnerability, further increasing the urgency for remediation due to the significant risk it poses to affected systems.
CVE-2024-38018: Microsoft Office SharePoint (Critical)
Remote code execution Vulnerability. Successful exploitation could enable an attacker to run arbitrary code on the targeted SharePoint Server using the compromised user's privileges. Resulting in unauthorized access to sensitive data, alteration of information, and potential service disruption.
CVE-2024-43464: Microsoft Office SharePoint (Critical)
Remote code execution Vulnerability. This vulnerability allows an authenticated attacker with Site Owner permissions to execute arbitrary code on a SharePoint Server. The attacker can trigger deserialization of the file's parameters by uploading a specially crafted file and making tailored API requests, leading to remote code execution.
CVE-2024-43461: MSHTML (High)
Spoofing Vulnerability. The Windows MSHTML Platform Spoofing Vulnerability could lead to unauthorized access to sensitive data, modification or deletion, and system disruptions. This vulnerability is similar to the previously patched, actively exploited CVE-2024-38112. Therefore, it is crucial to apply patches promptly.
UPDATE 17/09/2024: This vulnerability is actively exploited and was added to the CISA kev list. Please update your products now!
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends that organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/
https://thehackernews.com/2024/09/microsoft-issues-patches-for-79-flaws.html
https://www.cisa.gov/news-events/alerts/2024/09/10/microsoft-releases-september-2024-security-updates
https://www.tenable.com/blog/microsofts-september-2024-patch-tuesday-addresses-79-cves-cve-2024-43491
https://www.zerodayinitiative.com/blog/2024/9/10/the-september-2024-security-update-review