We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for September 2024

For September, Adobe released eight bulletins covering 28 CVEs in Adobe Acrobat and Reader, ColdFusion, Photoshop, Media Encoder, Audition, After Effects, Premier Pro, and Illustrator. A total of seven of these bugs came through the ZDI program. If you’re prioritizing, I would look at the ColdFusion patch first. It corrects a single code execution bug rated at CVSS 9.8. It’s unusual to see patches for Acrobat and Reader in back-to-back months, but I guess these two Critical-rated bugs were late for last month’s release. The fix for Photoshop fixes five CVEs, four of which are rated Critical. The Illustrator patch fixes six bugs, with four of those being Critical code execution bugs

The update for Premier Pro fixes one Critical and one Moderate bug. The fix for After Effects covers five bugs, including two from ZDI researcher Mat Powell. He’s also responsible for the Critical-rated bug in Audition. The final patch from Adobe covers five bugs in Media Encoder, two of which are rated Critical.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for September 2024

This month, Microsoft released 79 new CVEs in Windows and Windows Components; Office and Office Components; Azure; Dynamics Business Central; SQL Server; Windows Hyper-V; Mark of the Web (MOTW); and the Remote Desktop Licensing Service. Four of these vulnerabilities were reported through the ZDI program.

Of the patches being released today, seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The size of this release tracks with the volume we saw from Redmond last month, but again, it’s unusual to see such a high number of bugs under active attack.

One of these CVEs is listed as publicly known, and four others are listed as under active attack at the time of release. However, we at the ZDI think that number should be five. More on that later. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerabilities currently being exploited:

CVE-2024-43491 - Microsoft Windows Update Remote Code Execution Vulnerability
This is an unusual bug. At first, it reads like a downgrade attack similar to the one discussed at Black Hat. However, it appears that this downgrade was introduced through updates to the Servicing Stack affecting Optional Components on Windows 10 systems. Admins will need to install both the servicing stack update (KB5043936) AND this security update (KB5043083) to fully address the vulnerability. It’s also interesting to note that while this particular bug isn’t being exploited in the wild, it allowed some of those Optional Components to be exploited. The only good news here is that only a portion of Windows 10 systems are affected. Check the write-up from Microsoft to see if you’re impacted, then test and deploy these updates quickly.

CVE-2024-38226 - Microsoft Publisher Security Features Bypass Vulnerability  
I’m always amazed by the ingenuity of attackers, be they red teamers or threat actors. Who would have thought to exploit macros in Microsoft Publisher? I had forgotten all about that program. But here we are. The attack involves specially crafted files being opened by affected Publisher versions. Obviously, an attacker would need to convince a target to open the file, but if they do, it will bypass Office macro policies and execute code on the target system.

CVE-2024-38217 - Windows Mark of the Web Security Feature Bypass Vulnerability
We’ve talked a lot about MoTW bypasses over the last several months, but it seems like there’s always more to say. This is one of two MoTW bypasses receiving fixes this month, but only this one is listed as under attack. Microsoft provides no details about the attacks, but in the past, MoTW bypasses have been associated with ransomware gangs targeting crypto traders. This bug is also listed as publicly known, but no information is provided about that detail either.

CVE-2024-38014 - Windows Installer Elevation of Privilege Vulnerability  
Here’s yet another privilege escalation bug that leads to SYSTEM being exploited in the wild. And not conjure Xzibit memes, but I think it’s great when attackers put an extra installer in the Installer. Interestingly, Microsoft states that no user interaction is required for this bug, so the actual mechanics of the exploit may be odd. Still, privilege escalations like this are typically paired with a code execution bug to take over a system. Test and deploy this fix quickly.

CVE-2024-43461 - Windows MSHTML Platform Spoofing Vulnerability
This bug is similar to the vulnerability we reported and was patched back in July. The ZDI Threat Hunting team discovered this exploit in the wild and reported it to Microsoft back in June. It appears threat actors quickly bypassed the previous patch. When we told Microsoft about the bug, we indicated it was being actively used. We’re not sure why they don’t list it as being under active attack, but you should treat it as though it were, especially since it affects all supported versions of Windows.

Here’s the full list of CVEs released by Microsoft for September 2024:

† Indicates further administrative actions are required to fully address the vulnerability.

Moving on to the other Critical-rated bugs, the vulnerability in SharePoint stands out. It was discovered by ZDI researcher Piotr Bazydło and could lead to code execution in the context of the service account. The specific flaw exists within the handling of serialized instances of the SPThemes class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. There’s another Critical fix for SharePoint, but it requires Site Owner permissions. There are two bugs in Azure Stack Hub that could allow an attacker to interact with other tenants’ applications and content. However, the threat actor would need the target to initiate a connection. There’s a bug in NAT that would allow unauthenticated code execution, but the attacker would need access to a restricted network first since NAT isn’t routable (in most cases). The final Critical bug has already been mitigated by Microsoft and is being publicly documented.

Looking at the other code execution bugs, the two in TCP/IP stand out, especially considering the ugly bug in TCP fixed last month. However, these bugs require a non-default configuration, so they are less likely to have a big impact. For enterprises configured with NetNAT, test and deploy this update quickly. There are four code execution bugs in the Remote Desktop Licensing Service, but all require authentication. There are six fixes for SQL Server Native Scoring, and the exploit scenario here is interesting. According to Microsoft, exploitation “requires an authenticated attacker to leverage SQL Server Native Scoring to apply pre-trained models to their data without moving it out of the database.” The servicing scenario is also convoluted, as you may need to contact third-party vendors to verify apps are compatible with Microsoft OLE DB Driver 18 or 19. Read the bulletin, scratch your head, then read it again. Bugs like this one make me unreasonably angry when people say, “Just Patch.”

The bug in Azure CycleCloud almost reads like a privilege escalation, as a basic user could make specially crafted requests to modify the configuration of an Azure CycleCloud cluster to gain root-level permissions. There are two other fixes for SharePoint, but they are listed as Important instead of Critical for some reason – despite looking suspiciously similar to the Critical-rated bugs. This fix for Power Automate Desktop is found in the Windows Store, so if you have disabled Store updates, you’ll need to apply this fix manually. The remaining RCE bugs are garden-variety open-and-own vulnerabilities.

There are 30 fixes for Elevation of Privilege (EoP) bugs in this release including those already. Mentioned. However, most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bugs in SQL Server will have the same servicing problems as previously mentioned. Bottom line – it’s a bad month to be an SQL Server admin. The bug in PowerShell could allow a regular user to elevate to an unrestrained WDAC user.

Beyond those already mentioned, there are two Security Feature Bypass (SFB) bugs receiving patches this month. Both involve web browsing. The first is in Windows Security Zone Mapping and could allow an attacker to craft a URL that would be interpreted as belonging to a more privileged zone. The other is another MoTW SmartScreen bypass. This one is not listed as public, but the technique is quite in vogue right now.

The September release includes fixes for 11 different information disclosure bugs. Thankfully, most only result in info leaks consisting of unspecified memory contents. There are two exceptions. The bug in Remote Desktop Licensing Service could disclose the ever-ethereal “sensitive information”. The bug in Outlook for iOS would allow attackers to read “file content.” It’s not clear if that’s random file content or if the files can be specified by the attacker. Also, you’ll need to get this update from the App Store if you haven’t enabled automatic updates on your iOS device.

In addition to the spoofing bug under active attack, there’s also a fix for a spoofing bug in the Windows Remote Desktop Licensing Service. Microsoft doesn’t specify what is being spoofed; only that an attacker must be able to send requests to the Terminal Server Licensing Service. This shouldn’t be reachable from the Internet, but now would be a fine time to verify that fact.

The September release includes fixes for a handful of Denial-of-Service (DoS) bugs. However, Microsoft again provides little additional information about these vulnerabilities. There are some things we can see in the tea leaves. For example, one of the patches for Windows Networking notes that an unauthenticated attacker with LAN access can exploit this bug. However, the other patches for Windows Network list the attack vector as Network instead of Adjacent. I would still think the attacker would be unauthenticated. The DoS in the DHCP server would likely shut down the service, but again, it’s not clear if that’s a permanent or a temporary DoS. We do know the DoS in Hyper-V would allow an attacker on a guest OS to impact the functionality of the host OS.

Finally, the release is rounded out by a single cross-site scripting (XSS) bug in Microsoft Dynamics (on-premises).

There are no new advisories in this month’s release.

Looking Ahead

The next Patch Tuesday of 2024 will be on October 8, and I’ll return with details and spooky patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!