Microsoft addressed 79 Common Vulnerabilities and Exposures (CVE’s) this month, 4 which were marked as zero-day vulnerabilities. The most critical Common Vulnerabilities and Exposures (CVE’s) are noted below:
Microsoft Vulnerabilities:
Windows Zero-Days:
- CVE-2024-43491 – Microsoft Windows Update Remote Code Execution Vulnerability
- Previously exploited.
- Downgrade attack only affecting Windows 10 version 1507 & Windows 10 version 2015 LTSB.
- Requires the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083) in that order to mitigate this vulnerability.
- CVE-2024-38014 – Windows Installer Elevation of Privilege Vulnerability
- Actively being exploited in the wild.
- CVE-2024-38217 – Windows Mark of the Web Security Feature Bypass Vulnerability
- Publicly disclosed & actively being exploited in the wild.
- CVE-2024-38226 – Microsoft Publisher Security Feature Bypass Vulnerability
- Actively being exploited in the wild.
Other Critical CVE’s worth mentioning:
- CVE-2024-38109 – Azure Health Bot Elevation of Privilege Vulnerability
- CVE-2024-38216 / 38220 – Azure Stack Hub Elevation of Privilege Vulnerability
- CVE-2024-38194 – Azure Web Apps Elevation of Privilege Vulnerability
- CVE-2024-38018 / 43464 – Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2024-38119 – Windows Network Address Translation (NAT) Remote Code Execution Vulnerability
3rd Party Critical CVE’s:
Adobe Products:
- Adobe released 8 patches covering 28 CVE’s for Adobe Acrobat and Reader, After Effects, Audition, ColdFusion, Illustrator, Media Encoder, Photoshop, and Premier Pro.
Apache:
- Apache fixes a critical OFBiz remote code execution vulnerability that was a bypass for previously fixed flaws.
Cisco:
- Cisco Released Security Updates for Multiple Products
- Cisco patches backdoor admin account in Smart Licensing Utility
- Cisco Patches command injection vulberability in Identity Services Engine (ISE)
Google Chrome:
- Versions 128.0.6613.137/.138 were released for Windows & Apple and 128.0.6613.137 for Linux on September 10th
- This update includes 5 security fixes
- Chrome Release: September 10th 2024
Firefox:
Fortinet:
SonicWall:
Veeam:
- Veeam fixes a critical RCE vulnerability (CVE-2-24-40711) in Backup & Replication software
- *All FSRM managed Veeam customers have been upgraded.*
About FortressSRM Cyber Hygiene Offering:
Software vulnerabilities are one of the top cyber-attack vectors and one in three breaches are the result of vulnerabilities that were known about and should have been already patched.
Keeping operating systems and application software patched and secure is time consuming and tedious – an internal IT resource nightmare. Fortress SRM’s Guardian Managed Patching with Monitoring Service delivers automated, high-efficacy (97%+) updates to Microsoft and over 80 third-party software, ensuring efficient patch deployment to every device, whether on or off network. This includes the deployment of critical updates, security updates, feature updates, operating system upgrades, key Windows security setting and configurations.
The Fortress SRM real-time reporting console includes current patch levels of devices and gives the Client total visibility into what patch related activities have been performed, while real-
Ready to start the Cyber Hygiene journey? Contact us at: Contact Us | Fortress Security Risk Management (fortresssrm.com)