Microsoft, Adobe issue critical patches to fix Zero-day flaws
This month's Patch Tuesday has brought an array of security updates from both Microsoft and Adobe, addressing several high-priority vulnerabilities.
The releases are particularly significant, with a strong focus on Zero-day vulnerabilities in key Microsoft products.
Chris Goettl, Vice President of Security Product Management at Ivanti, highlighted several critical aspects of the updates. "Out of these releases, the highest priorities this month are going to be to address Zero-day vulnerabilities in the Windows OS and Office," he stated.
Microsoft's updates this month encompass a total of 79 unique Common Vulnerabilities and Exposures (CVEs), including seven categorised as Critical. Notably, four of these CVEs are Zero-day vulnerabilities affecting Windows and Office products, with one of these vulnerabilities having been publicly disclosed.
One significant issue is a Zero-day vulnerability in Windows Update, identified as CVE-2024-43491, which allows for Remote Code Execution. This vulnerability affects Windows 10 1507 and 2015 Long-Term Servicing Branch (LTSB) editions and carries a Critical rating with a Common Vulnerability Scoring System (CVSS) score of 9.8. The resolution of this vulnerability requires the latest servicing stack update to be applied for comprehensive protection.
Another critical concern is a Zero-day vulnerability within Windows Mark of the Web, labelled CVE-2024-38217. This vulnerability, which has been publicly disclosed, could enable a Security Feature Bypass. It affects Windows Server 2008 and subsequent editions, with a CVSS score of 5.4. Despite its lower rating, its active exploitation requires it to be treated with high priority, according to Goettl. He explained, "The vulnerability allows an attacker to craft a malicious file that would evade Mark of the Web defences, enabling the ability to bypass security features like SmartScreen Application Security."
Additional vulnerabilities addressed include CVE-2024-38014 in Windows Installer, which could result in an Elevation of Privilege, and CVE-2024-38226 in Microsoft Publisher, which could enable Security Feature Bypass. These vulnerabilities affect a range of Windows and Office editions and have CVSS scores of 7.8 and 7.3, respectively.
Alongside Microsoft's extensive updates, Adobe has also released crucial patches. The September updates for Adobe Acrobat and Reader resolve two CVEs (APSB24-70), both rated as Critical with the highest CVSS base score being 8.6. These vulnerabilities could allow Arbitrary Code Execution, posing a significant risk to users.
The upcoming End-of-Life (EoL) for Windows 10 in October 2025 is another topic of concern. Goettl emphasised the importance of timely planning and migration strategies for affected organisations. "Many organisations recognise the upcoming EoL will present a significant event that will require adequate planning and execution," he explained. Key steps include assessing system readiness for Windows 11, planning migrations to the latest Windows 11 24H2 branch, and considering extended support for systems that cannot be upgraded.
For September, prioritisation has been recommended for updates addressing Windows OS vulnerabilities, given the confirmed exploits. Microsoft Office and Publisher updates have also been highlighted due to the resolution of another actively exploited CVE.
The ongoing updates and patches reflect a continued effort to address security vulnerabilities promptly, ensuring systems remain protected against the latest threats.