Yesterday was September 10, 2024, and you understand what meaning — it’s Patch Day, the second Tuesday of each month when Microsoft releases safety updates for Home windows.

This time, 79 safety vulnerabilities have been addressed, with all however one categorized as “vital” or “excessive threat.” In response to Microsoft, 4 of the vulnerabilities are already being exploited within the wild, so be sure to replace as quickly as you’ll be able to.

Which Home windows variations are affected?

Nearly all of the vulnerabilities — counting 67 in whole — are unfold throughout numerous Home windows variations, together with Home windows 10, Home windows 11, and Home windows Server.

Home windows 7 and eight.1 are now not talked about within the safety experiences, so they may nonetheless be weak. Until you might have an excellent purpose, it is best to think about switching to Home windows 10 (22H2) or Home windows 11 (23H2) to proceed receiving safety updates. (Observe that Home windows 10 will cease being supported in 2025, so Home windows 11 is the higher alternative.)

Patch Day additionally contains updates for Home windows 11 24H2, though the autumn replace continues to be in testing with Insiders and never but publicly out there.

That mentioned, should you’re nonetheless operating on Home windows 11 22H2, it is best to actually replace to Home windows 11 23H2 as quickly as you’ll be able to. In any other case you run the danger of a compelled replace, which might be disruptive. (Home windows 11 22H2 will obtain its last safety replace on October 8, 2024.)

Zero-day Home windows vulnerabilities patched

As talked about, a number of of the patched Home windows safety vulnerabilities are already being utilized in real-world assaults. (It’s disputed whether or not one in every of them, the spoofing situation CVE-2024-43461, is being actively exploited.)

Microsoft hasn’t provided many particulars on these zero-day vulnerabilities within the safety replace information, however Dustin Childs touches on them within the Zero Day Initiative weblog. Childs claims that an exploit of the spoofing situation has been found within the wild and was reported to Microsoft, however the vulnerability isn’t listed as below assault by Microsoft.

Relating to vulnerability CVE-2024-38217, Microsoft says the Safety Function Bypass vulnerability isn’t simply being exploited however was publicly recognized prematurely. This one impacts the “Mark of the Internet” (MotW) on downloaded recordsdata, making it potential to bypass protections.

Relating to vulnerability CVE-2024-43491, it’s the one Distant Code Execution (RCE) situation among the many 4 zero-days. This one solely impacts sure older variations of Home windows 10 and may solely be eradicated by first putting in replace KB5043936, then replace KB5043083. Microsoft says newer variations of Home windows 10 aren’t affected.

Relating to vulnerability CVE-2024-38014, this Elevation of Privilege (EoP) risk exists within the Home windows Installer for all presently supported variations of Home windows, together with Server editions. An attacker who exploits this flaw can provide themself system authorizations with out consumer interplay. (The precise mechanism isn’t clear, however sometimes attackers mix EoP vulnerabilities with RCE vulnerabilities to distant run malicious code.)

Different vital Home windows vulnerabilities

There are additionally a number of safety vulnerabilities categorised as vital, one in every of which impacts Home windows and isn’t but below assault.

The RCE vulnerability CVE-2024-38119 impacts Community Tackle Translation (NAT) and requires the attacker to be on the identical community. It is because NAT is mostly not routing-capable, which means that it could’t be exploited throughout community boundaries.

Additionally, Home windows Distant Desktop Companies has seven vulnerabilities, together with 4 RCE vulnerabilities. There’s one other RCE vulnerability every in Microsoft Administration Console (CVE-2024-38259) and Energy Automate for desktop (CVE-2024-43479).

Microsoft Workplace vulnerabilities

On this patch, Microsoft eradicated 11 vulnerabilities in its Workplace merchandise, together with a zero-day vulnerability and two different vulnerabilities categorised as vital.

The Safety Function Bypass vulnerability CVE-2024-38226 was found by an unknown individual in Microsoft Writer and exploited instantly. For this, an attacker has to persuade a consumer to open a specifically ready file in Writer. If profitable, the macro tips in Workplace are bypassed and malicious code is executed.

Microsoft classifies two RCE vulnerabilities in SharePoint Server (CVE-2024-38018, CVE-2024-43464) as vital. Nevertheless, one other RCE vulnerability (CVE-2024-38227) in SharePoint Server and one in Visio (CVE-2024-43463) are solely thought of excessive threat.

SQL Server vulnerabilities

Microsoft eradicated 13 safety vulnerabilities in SQL Server this month, with six of them being RCE vulnerabilities with CVSS scores of 8.8. Microsoft additionally closed three EoP vulnerabilities and 4 knowledge leaks.

Internet browser updates

The most recent safety replace for Microsoft’s Edge browser is model 128.0.2739.63 from September 3, primarily based on Chromium 128.0.6613.120. Nevertheless, it doesn’t but seem within the safety replace information. (The discharge notes are additionally somewhat sparse and solely appeared every week late.) The 128.0.2739.67 replace to Edge on September 5 solely fixes a number of bugs.

Nevertheless, Google launched a brand new safety replace for Chrome on September 10, which fixes a number of vulnerabilities categorised as excessive threat. Microsoft has but to reply to this.