Every second Tuesday of the month, Microsoft releases a patch package for Windows. This Tuesday sees the release of four zero-day vulnerabilities, two high-criticality vulnerabilities, and some similar patches from Adobe.
On Patch Tuesday, which Microsoft calls “Update Tuesday,” other major software companies like Adobe release important security patches. This is the time to push updates out to corporate networks and happens mid-morning Pacific Standard Time to avoid administrators and users having to scramble earlier in the week or the next day.
Patch Tuesday is a useful reminder for administrators to ensure their Microsoft security updates are up to date.
Attackers exploited four zero-day vulnerabilities
The four vulnerabilities that attackers have already exploited are:
- CVE-2024-43491: a flaw in the servicing stack of Windows 10, version 1507, that exposes optional components to vulnerabilities previously thought to be mitigated. Later versions of Windows 10 are not affected. The September 2024 Servicing Stack Update and the September 2024 Windows Security Update address this flaw.
- CVE-2024-38226: a bypass vulnerability in Microsoft Publisher.
- CVE-2024-38217: a technique by which an attacker could evade Mark of the Web security alerts.
- CVE-2024-38014: a vulnerability that creates improper privilege management and could grant attackers unintended privileges.
WATCH: IBM's Chris Hockings is optimistic about internet security in the next five years because of passwords and defenses against deepfakes.
Two vulnerabilities fell into NIST's “critical” category
The National Vulnerability Database's Common Vulnerability Scoring System assigns a “critical” rating to vulnerabilities that meet a certain severity threshold in its prioritization system. These vulnerabilities, which require immediate attention, include CVE-2024-43491, as noted above, and CVE-2024-38220, which involves an elevation of privilege vulnerability in Azure Stack Hub.
In total, fixes for 79 bugs were implemented in Tuesday's September update.
Adobe released its own monthly security updates
Adobe has released its own handful of fixes for Photoshop, Cold Fusion, Acrobat Reader, Illustrator, Premiere Pro, After Effects, Audition, and Media Encoder.
