Patch Tuesday Summary

September’s Patch Tuesday brings updates from Microsoft, Adobe and Ivanti. Microsoft has released updates for the Windows OS, Office, Sharepoint, SQL Server and several Azure services and components. Adobe released updates for several products including Adobe Acrobat and Reader. Ivanti has also released updates for three products.

Out of these releases, the highest priorities this month are going to be to address zero-day vulnerabilities in the Windows OS and Office.

Microsoft summary

Microsoft has resolved 79 unique CVEs this month, including seven Critical CVEs. In the mix are four zero-day vulnerabilities in Windows and Office. One of the zero-day vulnerabilities has also been publicly disclosed. There is also a SQL update this month to keep an eye on that includes 13 CVEs.

Another topic bubbling up in many organizations is the Windows 10 End-of-Life. We may be a year and a month out from the October 2025 EoL, but many organizations recognize the upcoming EoL will present a significant event that will require adequate planning and execution. You may need to assess how many systems are Windows 11-ready and plan the migration to the latest Windows 11 24H2 branch. In cases where systems cannot be upgraded, your organization may need to consider extended support to continue support past the EoL date. For more details check out Microsoft’s Windows 10 ESU article.

Microsoft zero-day vulnerabilities

Microsoft has resolved a zero-day vulnerability in Windows Update that could allow Remote Code Execution (CVE-2024-43491). The vulnerability affects Windows 10 1507 and 2015 LTSB editions. All newer Windows 10 releases are not affected. The CVE is rated Critical and has a CVSS v3.1 of 9.8. The vulnerability also requires the latest servicing stack update be applied to fully address the exposures.

Microsoft has resolved a zero-day vulnerability in Windows Mark of the Web that could allow an attacker to perform a Security Feature Bypass (CVE-2024-38217). The vulnerability has also been publicly disclosed. The vulnerability affects Windows Server 2008 and newer Windows editions. Microsoft has rated the CVE as Important; it has a CVSS v3.1 of 5.4, but due to the confirmed exploitation this vulnerability should be treated as a high priority this month. The vulnerability allows an attacker to craft a malicious file that would evade Mark of the Web defenses – enabling the ability to bypass security features like SmartScreen Application Security.

Microsoft has resolved a zero-day vulnerability in Windows Installer that could allow an Elevation of Privilege (CVE-2024-38014). The vulnerability affects Windows Server 2008 and newer Windows editions. The vulnerability is rated Important and has a CVSS v3.1 of 7.8. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.

Microsoft has resolved a zero-day vulnerability in Microsoft Publisher that could allow an attacker to perform a Security Feature Bypass (CVE-2024-38226). The vulnerability affects Microsoft Office 2019 and 2021 as well as Publisher 2016. Microsoft has rated the CVE as Important, with a CVSS v3.1 of 7.3. An attacker could exploit this vulnerability to bypass Office macro policies used to block untrusted or malicious files.

Third-party updates

Adobe has released an update for Adobe Acrobat and Reader that resolves two CVEs, both of which are rated Critical (APSB24-70). The highest CVSS base score is 8.6, and both CVEs could allow Arbitrary Code Execution.

Ivanti Patch Tuesday releases

Ivanti has released three updates for September’s Patch Tuesday. Products affected are Ivanti Endpoint Manager, Ivanti Cloud Service Appliance and Ivanti Workspace Control. The three updates resolve 23 CVEs. Ivanti is not aware of any exploits at the time of disclosure. Details of these releases can be found in Ivanti’s September Security Update blog.

September priorities

  • Windows OS updates are the highest priority this month, resolving at least two confirmed exploits depending on the Windows edition.
  • Microsoft Office and Publisher is also a high priority, resolving one confirmed exploited CVE.