This month Microsoft released patches for 79 vulnerabilities with 7 rated “Critical” in severity.

All new patches will be approved in our patch policy.

 

A moderate number of vulnerabilities this month with four zero-day patches.

• SharePoint Server has two critical remote code execution flaws, CVE-2024-38018/CVE-2024-43464.
• An authenticated attacker with Site Member and Site Owner permissions to execute code remotely.
• CVE-2024-38119 is a remote code execution bug in the Windows Network Address Translation (NAT). An attacker would need to first gain access to the restricted network before running an attack.
• CVE-2024-38014 Windows Installer elevation of privilege vulnerability affecting all versions of Windows.
• CVE-2024-38217 is a Windows Mark of the Web security feature bypass vulnerability.
• CVE-2024-38226 is a Microsoft Publisher security features bypass vulnerability.
• Those still running Windows 10 version 1507 should read “Heads Up!” below. Your machine may be unpatched per CVE-2024-43491.
• Some new stand-alone SSUs for Windows Server 2012/2012R2 and Windows 10 1507/1607/Server 2016.

 

Disclosed: CVE-2024-38217

Exploited: CVE-2024-38014, CVE-2024-38217, CVE-2024-38226, CVE-2024-43491

 

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

 

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:9/10/2024)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

 

Heads Up! Windows 10 original release version 1507 (OS Build 10240) may be unpatched.

CVE-2024-43491 | Microsoft Windows Update Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43491

This only affects the original version of Windows 10. Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 remain in support which is why we still see monthly CUs for it.

If you installed security updates released between March and August 2024 it rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507

This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order.  You can use our “MS Stack Audit AIO” agent procedure to intall the SSU.

 

Known Issues

Microsoft acknowledged problems affecting SharePoint Server and Windows 10/11 machines with dual-boot setup for Windows and Linux enabled.

 

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

 

Deserialization of custom types that inherit from IDictionary.

Affects: SharePoint Enterprise Server 2016: September 10, 2024 (KB5002624)

SharePoint Server 2019: September 10, 2024 (KB5002639)

SharePoint Server Subscription Edition: September 10, 2024 (KB5002640)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-subscription-edition-september-10-2024-kb5002640-c3065f06-d94e-4028-9249-d353ae631cbd

Symptom: After you apply this update, you might experience an issue that affects the deserialization of custom types that inherit from IDictionary. For more information, see Certain types that inherit from IDictionary are blocked from deserialization (KB5043462) – https://support.microsoft.com/en-us/topic/certain-types-that-inherit-from-idictionary-are-blocked-from-deserialization-kb5043462-4cba8087-8688-43b3-9068-bd5b1381a8cf

You might experience an issue in which SharePoint workflows can’t be published because the unauthorized type is blocked. This issue also generates event tag “c42q0” in SharePoint Unified Logging System (ULS) logs.

Workaround:To work around this issue, register the safe types in the Web.config file. You can look for event tag “c42q0” in ULS logs to find the blocked type. If the type and assembly are safe, add the type to the authorized list in the Web.config file. For example:

<System.Workflow.ComponentModel.WorkflowCompiler>

   <authorizedTypes>

     <targetFx version="v4.0">

        <authorizedType Assembly="Microsoft.SharePoint.WorkflowActions, Version=16.0.0.0, Culture=neutral, PublicKeyToken=null" Namespace="Microsoft.SharePoint.WorkflowActions.WithKey" TypeName="*" Authorized="True" />

    </targetFx>

   </authorizedTypes>

Status: We are working on a resolution and will provide an update in an upcoming release.

 

August 2024 security update might impact Linux boot in dual-boot setup devices

https://support.microsoft.com/en-us/topic/september-10-2024-kb5043064-os-builds-19044-4894-and-19045-4894-cd14b547-a3f0-4b8f-b037-4ae3ce83a781

https://support.microsoft.com/en-us/topic/september-10-2024-kb5043076-os-builds-22621-4169-and-22631-4169-215aad1e-3f3f-44bd-9868-91a2bd450a07

Affects: Windows 10/11

Symptom: After installing this security update, you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”

The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.

Workaround: Please refer to the workaround mentioned in Windows release health site for this issue – https://docs.microsoft.com/en-us/windows/release-health/.

Status: We are investigating the issue with our Linux partners and will provide an update when more information is available.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB5043138 – Windows Server 2012 R2 (ESU)
• KB5043125 – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

• KB5043083 – Original release version 1507 (OS Build 10240)
• KB5043051 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5043050 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5043064 – Version 21H2 “November 2021 Update” (OS Build 19044)
• KB5043064 – Version 22H2 “November 2022 Update” (OS Build 19045)

(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

 

Windows 11

• KB5043067 – 21H2 (OS Build 22000) Original release
• KB5043076 – 22H2 (OS Build 22621)
• KB5043076 – 23H2 (OS Build 22631)

 

Windows Server

• KB5043051 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5043050 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5042881 – Server 2022 (OS Build 20348)
• KB5043055 – Server 23H2 (OS Build 25398)

 

September 2024 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/september-2024-updates-for-microsoft-office-82d47d8a-fa12-4014-b379-bb73395c7294

 

Notable CVEs

 

CVE-2024-38014 | Windows Installer Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38014

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

 

CVE-2024-38217 | Windows Mark of the Web Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38217

To exploit this vulnerability, an attacker could host a file on an attacker-controlled server, then convince a targeted user to download and open the file. This could allow the attacker to interfere with the Mark of the Web functionality.

An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt.

 

CVE-2024-38018/CVE-2024-43464 | Microsoft SharePoint Server Remote Code Execution Vulnerability (KB5002624, KB5002639, KB5002640)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38018

In a network-based attack, an authenticated attacker, who has a minimum of Site Member permissions (PR:L), could execute code remotely on the SharePoint Server.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43464

An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server. An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of file’s parameters. This would enable the attacker to perform remote code execution in the context of the SharePoint Server.

 

CVE-2024-38119 | Windows Network Address Translation (NAT) Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38119

Successful exploitation of this vulnerability requires an attacker to win a race condition. Successful exploitation of this vulnerability requires that an attacker will need to first gain access to the restricted network before running an attack.

 

CVE-2024-38226 | Microsoft Publisher Security Features Bypass Vulnerability (KB5002566, Click to Run)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38226

An attacker who successfully exploited this vulnerability could bypass Office macro policies used to block untrusted or malicious files. No, the Preview Pane is not an attack vector. The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.

 

CVE-2024-43491 | Microsoft Windows Update Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43491

Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.

This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order.