Microsoft is fixing more than seventy security and other vulnerabilities in its September Patch Tuesday update. Of particular note, a specific Windows 10 flaw that deletes previously installed updates, leaving systems vulnerable, has been addressed.
Microsoft has fixed over seventy vulnerabilities and flaws across various products with its most recent Patch Tuesday update. This includes Windows 10 and 11, Office and its Mark of the Web mechanism, Azure, Dynamics Business Central, SQL Server, hypervisor Hyper-V, and Remote Desktop Licensing Service.
For Windows, the patches for three of the mentioned vulnerabilities are very important because hackers are already exploiting them. The first is CVE-2024-38014, which allows escalation of privilege in the Windows Installer and can give access to full system privileges.
Microsoft has also addressed the second critical vulnerability, CVE-2024-38226. This is a ‘security bypass hole’ in Publisher 2016, Office 2019, and Office 2021. It lets victims open an infected file, after which hackers can bypass macro protections in Office.
Furthermore, vulnerability CVE-2024-38217 has been patched, which helps malicious actors bypass the Microsoft Mark of the Web software identification engine. Incidentally, another patched vulnerability for this feature is CVE-2024-43487, which allows malicious parties to bypass the SmartScreen user experience.
Specific patch for Windows 10 v15-07
Especially important is the resolution of critical vulnerability CVE-2024-43491. This only applies to Windows 10 v1507, released in 2015. Although support for this version ceased for most variants back in 2017, it was still offered for the Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 versions.
The vulnerability causes the affected Windows 10 versions to silently remove previous updates and security patches for several components, making them vulnerable to attacks or other problems.
According to Microsoft, the flaw lies in a programming error triggered by security updates released between March and August of this year. When an update is installed and then updates released after March 12, 2024, are applied, Windows 10 v1507 gets quite upset, and the software reverts to its factory settings. This means code remains unpatched, leaving systems vulnerable to attack.
The affected components affected are NET Framework 4.6 Advanced Services ASP.NET 4.6, Active Directory Lightweight Directory Services, Administrative Tools, Internet Explorer 11, Internet Information Services World Wide Web Services, LPD Print Service, Microsoft Message Queue (MSMQ) Server Core, MSMQ HTTP Support, MultiPoint Connector, SMB 1.0/CIFS File Sharing Support, Windows Fax and Scan, Windows Media Player, Work Folders Client and XPS Viewer.
The tech giant warns that this release’s users must install servicing stack update KB5043936 and security update KB5043083 to resolve the issue. Users who have automatic updates pushed through are already provided with the patches.
Other patches and end-of-support
Most of the other critical vulnerabilities patched with the recent Patch Tuesday update mainly concern Azure, CVE-2024-38216, CVE-2024-38220,, CVE-2024-38194 and CVE-2024-43469. Critical vulnerabilities have also been fixed for Sharepoint and Windows NAT.
Last but not least, Windows 11 21H2 and 22H2 users for the Home, Pro, Pro Education and Pro for Workstations versions should know that this Patch Tuesday update for October 2024 is the last one they’ll get. After this date, Microsoft will permanently end support for these versions.
Also read: Patch Tuesday fixes 6 actively exploited vulnerabilities