2024-9-12 01:28:43 Author: securityboulevard.com(查看原文) 阅读量:8 收藏
This month Redmond fixes 79 security flaws in Windows and other products.
As regular as clockwork, it’s Patch Tuesday time again. What exciting treasures did Microsoft bring us for September? A good handful of bugs being exploited, including a CVSS 9.8 critical vuln.
The patch haul also includes CVE-2024-38217: A zero-day that scrotes have known about for six years. In today’s SB Blogwatch, we set the Wayback Machine to Stun.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Polaris.
Week B: Bugs Begone!
What’s the craic? Lawrence Abrams reports: Patch Tuesday fixes 4 zero-days, 79 flaws
“Actively exploited since 2018”
This Patch Tuesday fixed seven critical vulnerabilities, which were either remote code execution or elevation of privileges flaws. … The four actively exploited zero-day vulnerabilities in today’s updates are:
CVE-2024-38014 – Windows Installer Elevation of Privilege …
CVE-2024-38217 – Windows Mark of the Web Security Feature Bypass …
CVE-2024-38226 – Microsoft Publisher Security Feature Bypass …
CVE-2024-43491 – Microsoft Windows Update Remote Code Execution.
…
[The] Mark of the Web Security Feature Bypass … flaw was publicly disclosed last month by Joe Desimone … and is believed to have been actively exploited since 2018. [It] allows specially crafted LNK files … to cause the file to be opened while bypassing … security warnings [and] causes the command in the LNK file to be executed without a warning.
Which is the 9.8 doozy? Gyana Swain IDs it: Microsoft warns of bug reversing updates on old Windows 10, patches critical flaws
“Prevent further rollbacks”
Rated 9.8 out of 10 in severity, CVE-2024-43491 … could silently undo previously applied security patches, leaving systems vulnerable to attacks. … The bug affects devices running Windows 10 version 1507, including Windows 10 Enterprise 2015 LTSB (long-term servicing branch) and Windows 10 IoT Enterprise 2015 LTSB, which are still supported. … (Later versions of Windows 10 are unaffected.)
…
The issue stems from a coding error triggered by security updates released between March and August 2024. … Subsequent updates or security patches released since March 12th could cause the operating system to revert optional components like Internet Explorer 11, Windows Media Player, and MSMQ server core back to their unpatched versions, leaving them vulnerable. … The September 2024 Servicing Stack Update (KB5043936) and the accompanying Security Update (KB5043083) … should “prevent further rollbacks” and restore the system’s security.
Horse’s mouth? The MSRC puts on a brave face: CVE-2024-43491
“Triggered a code defect”
This CVE is marked as Exploitation Detected. [It] documents the rollback of fixes that addressed vulnerabilities which affected … Windows 10 (version 1507). Some of these CVEs were known to be exploited.
…
Starting with the Windows security update released March 12, 2024, … the build version numbers crossed into a range that triggered a code defect in the … servicing stack that handles the applicability of Optional Components. As a result, any Optional Component that was serviced with updates released since March 12, 2024 (KB5035858) was detected as “not applicable” by the servicing stack and was reverted to its RTM version.
How does this stuff keep happening? StrangerHereMyself bemoans thuswise:
Windows development is handled by interns and $6 an hour [overseas contractors]. Microsoft isn’t serious about Windows development any more, only adding features that will improve its bottom line and stock price (like the dreaded AI). The attack surface is therefore getting larger and larger. Nothing ever gets removed because no one knows if it will break things.
The knowledgeable people have all been transferred to other projects: Most likely AI and Azure.
Is that fair? gweihir, for one, agrees:
Yes, looks like it. This stuff is getting worse and worse, relative to attacker capabilities. MS really does not have what it takes on the engineering side.
Better install that patch rollup ASAP, yes? Wannabe Techguy has a better idea:
“Better yet, stop installing Windows”—best advice yet. I got off that mess in 2012.
Victory or death! u/joshtaco translates that to Orcish:
Lok-tar ogar! Ready to push this out to 10,000 servers/workstations. … Everything updated, no issues seen.
Meanwhile, RitchCraft has an opinion:
As far as I’m concerned, Windows is just one big zero day vulnerability now. Thanks Nadella.
And Finally:
“The most innovative project of all time.”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: NordWood (via Unsplash; leveled and cropped)
Recent Articles By Author
如有侵权请联系:admin#unsafe.sh