September’s Patch Tuesday update fixes 4 zero-days

Addressing four zero-days flaws (CVE-2024-38014, CVE-2024-38217, CVE-2024-43491 and CVE-2024-38217), this month’s Patch Tuesday release from Microsoft includes 79 updates to the Windows platform. There are no patches to Microsoft Exchange Server or the company’s development tools (Visual Studio or.NET). And Microsoft addressed a recently exploited vulnerability in Microsoft Publisher with two critical updates and nine patches rated important for Microsoft Office. 

Significant testing will be required for this month’s Microsoft SQL Server patches, which affect both server and desktop components — with a focus on application installations due to a change in how Microsoft Installer handles changes and installation rollbacks.

The team at Readiness has crafted a useful infographic outlining the risks associated with each update. 

Known issues 

Microsoft always publishes a list of known issues that relate to the operating system and platforms included in each update, including the following two minor issues for September:

After installing the Windows update released on or after July 9, 2024, some Windows Servers may experience intermittent interruptions to remote desktop connections. Those using RDP over HTTP while employing a Remote Gateway server are most likely to experience this issue. Microsoft is working on a resolution and published a knowledge article (KB5041160) to assist with mitigations.

As a result of the recent updates to Microsoft SharePoint Server, some users are reporting an issue in which SharePoint workflows can’t be published because the unauthorized type is blocked. The issue also generates the event tag “c42q0” in SharePoint Unified Logging System (ULS) logs. In addition, recent changes could cause the deserialization of custom types that inherit from IDictionary to fail. For more information, see KB5043462 on these issues. (Sounds like something from the Succession TV series.)

Due to recent changes to Windows Installer, User Account Control (UAC) does not prompt for credentials on application installation repairs. Once this update (September 2024) has been installed, UAC will again prompt properly. Your scripts will need to be updated if you have not already accounted for this change. 

Though Microsoft has provided documentation on avoiding the issue by disabling this feature in UAC, we think this is a much-needed change and recommend following this latest best practice.

Major revisions 

This month, Microsoft published the following major revisions to past security and feature updates, including:

CVE-2020-17042: Windows Print Spooler Remote Code Execution Vulnerability. This print spooler update was first released in November 2020. This is an information update to reflect that Windows Server 2022 (Core) is now affected.

CVE-2024-30077: Windows OLE Remote Code Execution Vulnerability. This two-month-old patch from Microsoft has been updated to include support for the ARM platform. 

CVE-2024-35272: SQL Server Native Client OLE DB Provider Remote Code Execution. First released in July, the affected software table has been updated to include entries for Visual Studio 2019 and 2022. No further action required.

CVE-2024-38138: Windows Deployment Services Remote Code Execution Vulnerability. This is a documentation update to a patch released last month to include support for all supported versions of Windows Server. No further action required.

Unusually, we have a patch revision that is not strictly documentation related. This month, it’s CVE-2024-38063 (Windows TCP/IP Remote Code Execution Vulnerability). Unlike other revisions, this latest version of a critical network patch will require testing as if it were a new update. System administrators need to take this latest patch revision seriously and test before (re)deployment.

Testing guidelines

Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact.

For September, we have grouped the critical updates and required testing efforts into separate product and functional areas including:

Microsoft SQL Server

Microsoft released several updates to the Microsoft SQL Server platform that affects both Windows desktops and SQL Server installations, including:

A significant update to all supported versions (2016-2022) of Microsoft SQL Server that will require a full installation test. 

An updated core Windows library (SQLOLEDB) that helps Windows applications communicate with SQL Server databases and tools. Though Microsoft rated this change low-risk, Readiness recommends a portfolio analysis that highlights all apps that depend on this data-bound communication approach and a full test cycle for each one identified.

Due to the nature of this September SQL Server update, we highly recommend testing the patch itself and the patching process — with a view to the patch REMOVAL process. We understand that this will require time, skill, and effort — but it will be better than a full restore from backup. 

Windows

Microsoft made networking and memory handling security issues a focus this month with the following changes to Windows:

Due to an update to 64-bit to 32-bit memory handling in Windows (called thunking), 32-bit Camera applications will require testing on 64-bit machines this month. Using Microsoft Teams or playing a video from a USB drive would provide good testing coverage for this change.

Virtual Machines (VMs) that require a VPN will require connectivity testing. In addition, the following protocols — PPP, PPTP, SSTP — will require a basic connectivity test. 

A minor update to Windows defender will require basic testing for endpoint security.

A minor update to core networking functions will require a test of high network traffic this month. The focus should be on the transfer of large files using applications such Teams, Outlook and Microsoft Edge.

Microsoft delivered a significant update to the MSI Installer (application installer) sub-system that will require application install level testing for a portion of your portfolio. Part of this update relates to how shell links are handled in the storage subsystem, which might cause redirected folders or shortcuts to behave unexpectedly during an installation — particularly on secure or locked-down configurations.

We suggest that installations, rollbacks, un-installations and UAC checks be validated this month. Checking for “zero” exit codes on the MSI Installer log is always a good start.

Windows lifecycle and enforcement updates

This section contains important changes to servicing, significant feature depredations, and security related enforcements across the Windows desktop and server platforms.

Enforcements: Microsoft Entra now requires TLS 1.2 (using the latest Microsoft cryptographic libraries) as defined by RFC5246. Microsoft has published several scripts to assist with assessing whether your clients are using the latest libraries and protocols (they’re found here).

Lifecycle: General support for Microsoft SQL Server 2019 ends in January 2025. Given the large number of updates to this aging server, it might be time to upgrade.

Mitigations and workarounds

Microsoft did not publish any mitigations or workarounds this month.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge).

Microsoft Windows (both desktop and server).

Microsoft Office.

Microsoft Exchange Server.

Microsoft Development platforms (ASP.NET Core,.NET Core and Chakra Core).

Adobe (if you get this far).

Browsers

Microsoft’s Edge browser no longer synchronizes exactly with Patch Tuesday; there were several updates to Microsoft’s version of the Chromium browser that address the following reported vulnerabilities:

CVE-2024-41879: Adobe PDF Viewer (Gotcha!)

CVE-2024-38208: Edge for Android updates.

CVE-2024-38207: Microsoft MSHTML Memory Issues.

CVE-2024-38210 and CVE-2024-38209: Microsoft Remote Code Execution.

Once we are done with the Microsoft updates, we can focus on these Chromium patches:

CVE-2024-8636: Heap buffer overflow in Skia.

CVE-2024-8637: Use after free in Media Router.

CVE-2024-8638: Type Confusion in V8 (JavaScript).

CVE-2024-8639: Use after free in Autofill.

After checking for compatibility or suitability challenges presented by these changes, we have not seen anything in the Edge or Chromium update that could affect most enterprise deployments. Add these browser updates to your standard release schedule.

Windows

Microsoft released two critical rated updates to the Windows platform (CVE-2024-38119 and CVE-2024-43491) and 43 patches rated important. The following Windows features have been updated:

Windows Update and Installer.

Windows Hyper-V.

Windows Kernel and Graphics (GDI).

Microsoft MSHTML and Mark of the Web.

Remote Desktop (RDP) and TCP/IP subsystems.

The real concern is that three of these vulnerabilities (CVE-2024-38014, CVE-2024-38217, CVE-2024-43491 have been reported as exploited. In addition, another reported vulnerability in the Windows HTML subsystem (CVE-2024-38217) has been reported as publicly disclosed. Given these four zero-days, we recommend that you add these Windows updates to your Patch Now release schedule.

Microsoft Office 

Microsoft addressed two critical vulnerabilities in the SharePoint platform (CVE-2024-38018 and CVE-2024-43464) that will require immediate attention. There are nine other updates rated important that affect Microsoft Office, Publisher and Visio. Unfortunately, CVE-2024-38226 (which affects Publisher) has been reported as exploited in the wild by Microsoft. If your application portfolio does not include Publisher (many don’t) then add these Microsoft updates to your standard patch release cycle.

Microsoft SQL (nee Exchange) Server 

This month brings a significantly larger update to the Microsoft SQL Server platform with 15 updates (all) rated as important. There are no reports of public disclosures or active exploits, and these patches cover the following broad vulnerabilities:

Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability.

Microsoft SQL Server Native Scoring Information Disclosure Vulnerability.

Microsoft SQL Server Information Disclosure Vulnerability.

Microsoft SQL Server Elevation of Privilege Vulnerability.

Though there will be a significant testing profile this month, affecting both server and desktop systems, we suggest you add these SQL Server patches to your standard release schedule. 

Microsoft development platforms 

No development tools or features (Microsoft Visual Studio or.NET) have been updated this month.

Adobe Reader (and other third-party updates) 

Things are a little different this month for Adobe Reader. Normally, Microsoft releases an Adobe Reader update to the Windows platforms. Not so, this month. 

Adobe Reader has been updated (APSB24-70) but has not been included in the Microsoft release. This month’s Adobe Reader update addresses two critical memory-related security vulnerabilities and should be added to your standard app release cycle.