Patch Tuesday: Microsoft Catches Four Zero-Day Vulnerabilities

Every second Tuesday of the month, Microsoft releases a bundle of fixes for Windows. This Tuesday brings four zero-day vulnerabilities, two high-criticality vulnerabilities, and some sister patches from Adobe.

On Patch Tuesday, which Microsoft calls “Update Tuesday,” other large software companies like Adobe release major security fixes. It’s a time to launch updates across corporate networks, and it occurs during mid-morning Pacific Standard Time to keep admins and users from having to scramble at the beginning of the week or the following day.

Patch Tuesday is a useful reminder for admins to ensure their Microsoft security updates are up to date.

Attackers exploited four zero-day vulnerabilities

The four vulnerabilities attackers have already taken advantage of are:

• CVE-2024-43491: a flaw in Servicing Stack in Windows 10, version 1507 that opens up Optional Components to vulnerabilities previously thought to be mitigated. Later versions of Windows 10 are not affected. The September 2024 Servicing stack update and the September 2024 Windows security update address this flaw.
• CVE-2024-38226: a bypass vulnerability in Microsoft Publisher.
• CVE-2024-38217: a technique by which an attacker could evade Mark of the Web security alerts.
• CVE-2024-38014: a vulnerability that creates improper privilege management and could grant attackers unwanted privileges.

SEE: IBM’s Chris Hockings is optimistic about the safety of the internet in the next five years due to passkeys and defenses against deepfakes.

Two vulnerabilities fell under NIST’s ‘critical’ category

The National Vulnerability Database’s Common Vulnerability Scoring System assigns a “critical” rating to vulnerabilities that meet a certain threshold of severity in their prioritization system. These vulnerabilities, which require immediate attention, include CVE-2024-43491, as listed above, and CVE-2024-38220, which involves an elevation of privilege vulnerability in the Azure Stack Hub.

In total, fixes for 79 flaws were deployed in September’s Update Tuesday.

Adobe released its own monthly security updates

Adobe released its own handful of fixes for Photoshop, Cold Fusion, Acrobat Reader, Illustrator, Premiere Pro, After Effects, Audition, and Media Encoder.