Microsoft’s September 2024 Patch Tuesday Update Fixes 79 Vulnerabilities

Microsoft released yesterday the September 2024 Patch Tuesday updates for all supported versions of Windows 10 and Windows 11. This time around, Microsoft has addressed 79 new vulnerabilities in Windows, Office, Windows Hyper-V, Mark of the Web (MOTW), and other components.

September 2024 Patch Tuesday updates fix 7 critical vulnerabilities

According to the Zero Day Initiative, Microsoft has released a total of 71 security patches, with fixes for 7 critical vulnerabilities.

• CVE-2024-38014: This is a Windows Installer elevation-of-privilege vulnerability with a CVSS score of 7.8 that affects Windows desktop and server systems. A successful exploit could give attackers unwanted privileges on the device.
• CVE-2024-38226: This is a security bypass vulnerability in Microsoft Publisher with a CVSS rating of 7.3. It allows an attacker to bypass Office macros that protect users against untrusted and malicious files.
• CVE-2024-38217: This is a Windows Mark of the Web (MOTW) security feature bypass flaw that blocks harmful files and content downloaded from the Internet. Threat actors could exploit this flaw by convincing the victim to download and open a malicious file to evade MOTW protections in Windows.
• CVE-2024-43491: The zero-day Windows Update remote-code execution vulnerability affects PCs running Windows 10 version 1507. Microsoft dropped support for Windows 10 version 1507 back in May 2017. However, Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB will remain supported until October 2025. Microsoft has addressed this flaw in the September 2024 Servicing stack update and the Windows security update.
• CVE-2024-38018 and CVE-2024-43464: The two critical SharePoint Server flaws could enable hackers with Site Member and Site owner permissions to execute code remotely.

Here’s a full list of CVEs Microsoft released this month:

Quality and experience updates

Microsoft has released the KB5043080 and KB5043076 patches for Windows 11 versions 24H2 as well as versions 23H2 and 22H2, respectively. These updates allow users to use Windows Share to share content to linked Android devices. Microsoft has also started rolling out new APIs that let third-party developers create new widget feeds in the EU.

For Windows 10 users, Microsoft has released the KB5043064 patch to address a bug that was previously causing apps to stop responding due to memory leak in Bluetooth devices. The company has also fixed an issue that was cauing the Microsoft System Center Configuration Manager (SCCM) task to re-enable Unified Write Filter (UWF) fail due to a deadlock in UWF. This bug prevents users from rebooting their devices.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.