Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack

Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address.

Microsoft issued fixes for more than 70 flaws affecting various components of its products including Windows, Office and its Mark of the Web mechanism, Azure, Dynamics Business Central, SQL Server, Hyper-V, and Remote Desktop Licensing Service.

Three are already being exploited in the wild. Here they are in descending order of severity:

• CVE-2024-38014 - A CVSS 7.8-out-of-10 in CVSS severity issue allowing privilege escalation in Windows Installer that could give full SYSTEM privileges. It was discovered by the SEC Consult Vulnerability Lab.
• CVE-2024-38226 - A CVSS 7.4 security bypass hole in Publisher 2016, plus Office 2019 and 2021. This does require a victim to open a poisoned file, but once that's done the attacker can bypass the macro defenses in Office.
• CVE-2024-38217 - A CVSS 5.4 issue allowing a miscreant to bypass Microsoft's Mark of the Web software identification engine. There's a second Mark of the Web flaw addressed this month - CVE-2024-43487 - which Microsoft lists as likely to be exploited and of moderate concern.

Then there's CVE-2024-43491, a car crash that solely affects Windows 10 version 1507 first released in July 2015. While that version fell out of support in 2017 for its Pro, Home, Enterprise, Education, and Enterprise IoT editions, Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 remain in support; all are affected.

This bug is rated 9.8-out-of-10 in CVSS severity as, from what we can tell, it caused the operating system to silently undo previously applied updates and security patches for certain optional components, leaving them open to attack and other issues.

This is due to a programming error triggered by applying security updates released between March and August 2024 inclusively, we're told.

It appears that if you install a security update issued between those two months on Windows 10 version 1507, and then apply updates or security patches released since March 12, the OS gets mighty confused and reverts the updated software back to its base RTM – release to manufacturing – version, leaving the code unpatched and the computer at risk of attack. According to Microsoft, this rollback can happen to the following optional components:

• .NET Framework 4.6 Advanced Services \ ASP.NET 4.6
• Active Directory Lightweight Directory Services
• Administrative Tools
• Internet Explorer 11
• Internet Information Services\World Wide Web Services
• LPD Print Service
• Microsoft Message Queue (MSMQ) Server Core
• MSMQ HTTP Support
• MultiPoint Connector
• SMB 1.0/CIFS File Sharing Support
• Windows Fax and Scan
• Windows Media Player
• Work Folders Client
• XPS Viewer

Microsoft is treating this as an exploited-in-the-wild bug in that it previously issued patches for actively exploited bugs for those components, and these patches would have been removed by the bug.

"Starting with the Windows security update released March 12, 2024 - KB5035858 (OS Build 10240.20526), the build version numbers crossed into a range that triggered a code defect in the Windows 10 (version 1507) servicing stack that handles the applicability of optional components," as Microsoft so clearly put it.

"As a result, any optional component that was serviced with updates released since March 12, 2024 (KB5035858) was detected as 'not applicable' by the servicing stack and was reverted to its RTM version."

So does that mean if you applied, say, the March 2024 update, the operating system already undid fixes previously applied? Yes: "If you have installed any of the previous security updates released between March and August 2024, the rollbacks of the fixes for CVEs affecting [the] optional components have already occurred. To restore these fixes customers need to install the September 2024 Servicing Stack Update and Security Update for Windows 10."

Indeed, Microsoft says people should install both the servicing stack update KB5043936 and security update KB5043083, released this Patch Tuesday, in that order "to be fully protected from the vulnerabilities that this CVE rolled back." Users automatically applying updates will have got this already.

There are more details here, which does warn that this may break dual-boot systems that run Windows and Linux, and you're told to check out a workaround for that.

Moving on...

Here are the other bugs addressed by Microsoft this week.

Azure accounts for plenty of the worst bugs, including three elevation of privilege flaws (CVE-2024-38216, CVE-2024-38220, and CVE-2024-38194, all critical) in the Stack Hub that's used to run Microsoft's platform on-prem and Azure Web Apps.

Azure’s Network Watcher VM Agent has a pair of similar escalations bugs (CVE-2024-38188 and CVE-2024-43470, both important) and a remote code issue (CVE-2024-43469, also important) in the platform’s CycleCloud HPC orchestrator.

SharePoint Server has two critical flaws, CVE-2024-38018 and CVE-2024-43464, allowing attackers with Site Member and Site Owner permissions to execute code remotely. There are 30 elevation of privilege flaws to choose from in this month's update that could be chained with these two flaws and Microsoft lists both critical flaws as "Exploitation more likely."

• Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others
• To patch this server, we need to get someone drunk
• Cisco's Smart Licensing Utility flaws suggest it's pretty dumb on security
• Proof-of-concept code released for zero-click critical IPv6 Windows hole

Another critical flaw, CVE-2024-38119, stems from a use-after-free remote code execution bug in the Windows Network Address Translation (NAT) code base. An attacker would have to be inside the network already to abuse this and Microsoft lists it as difficult to use and less likely to be exploited.

Users of Windows 11 version 21H2 or 22H2 should also remember that next patch Tuesday, October 8, will see support for their operating systems coming to an end for Home, Pro, Pro Education, and Pro for Workstations. If you're using automatic updates you'll be prompted to upgrade next month.

Adobe's low-priority patches

Patch Tuesday is not just Microsoft’s party: Adobe has revealed 19 critical issues, 13 important, and three rated as moderate severity. ColdFusion 2021 and 2023 are vulnerable to a CVSS 9.8 issue over using deserialization of untrusted data that would allow arbitrary code access.

Adobe has also popped patches for the Windows and macOS versions of Photoshop, Acrobat and Reader, Illustrator, After Effects, Premiere Pro, ColdFusion, Media Encoder, and Audition.

Adobe classified all of them as Priority 3, its lowest ranking and reports that there are no exploits in the wild.

Intel suggests killing its RAID Web Console

After releasing 43 security advisories in August Intel delivered just four this month –only one of which is high severity.

But one of those advisories addresses 11 CVEs related to “Potential security vulnerabilities in UEFI firmware [that] may allow escalation of privilege, denial of service or information disclosure.”

The CVES cover a very extensive list of older mobile, PC and server chips, including Atom, 13th generation and earlier Core processors, and Xeon E5 v3 and prior platforms.

A patch is also out for CVE-2024-24968, which would allow a denial of service attacks against the 13th generation of Intel Core processors (and earlier kit) in mobile, desktop and embedded hardware. Xeon D server chips and 3rd-gen scalable systems are also vulnerable.

Intel's Running Average Power Limit interface is vulnerable to CVE-2024-23984, the chipmaker warns, which would allow information disclosure, although only for a privileged user. The issue affects third-generation Xeon D and scalable chips and servers, workstations, and embedded systems.

There's also a warning that all RAID Web Console software is vulnerable to nine CVEs but Intel won't be issuing fixes since the product went end of life in March. Customers are advised to stop using the software and delete it from their systems.

SAP fixes, then fixes again

SAP has issued 19 security notes detailing 16 new patches and three updates to older fixes.

All the new security patches are medium severity or less with CVSS scores of six or below.

SAP has given the highest priority to fixing earlier issues. Top of its list is CVE-2024-41730, in the BusinessObjects Business Intelligence Platform which has a CVSS score of 9.8, is rated highest by SAP, and was issued last month. The new code extends cover to Release 420 of the Enterprise software component and includes details for a workaround for those that can't patch yet.

SAP’s only high priority note covers CVE-2024-33003, an information disclosure vuln in the Commerce Cloud platform with a CVSS of 7.4 that was also released in August. The latest software extends vulnerability coverage to Release 2211.28 of the platform.

CISA warns admins to check two Citrix issues

Citrix has issued high-severity fixes for two flaws in its Workspace app for Windows, affecting the current release before version 2405 and long-term releases before 2402 LTSR CU1.

CVE-2024-7889 is a privilege elevation flaw, rated CVSS 7.0, that would allow a local user to upgrade themselves to SYSTEM status because of improper resource handling by the code. CVE-2024-7890, rated CVSS 5.4, sorts out improper privilege management that could also lead to an attacker getting SYSTEM access. Both issues require local access to a target machine.

"A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system," the US security agency warned. "CISA encourages users and administrators to review the following and apply necessary update."

Ivanti irritations, again

CISA is also warning about vulnerabilities in Ivanti Endpoint Manager 2022 and 2024, Cloud Service Application 4.6, and Workspace Control 10.18.0.0 and below, months after it reported the software biz was leaving US chemical facilities vulnerable with previous security failings.

Endpoint Manager's problems are the most severe, with 16 CVEs named including a CVSS 10.0 issue that allows full remote code execution on EPM before 2022 SU6, or the 2024 September update, due to the agency portal mishandling untrusted data. Nine other critical CVSS 9.1 issues are also reported, as well as two high priority issues (including an RCE issue) and one medium flaw.

There's CVE-2024-8190 for all versions of Ivanti's Cloud Service Application 4.6 before patch 519, allowing a remote authenticated attacker to run code - but only if they have admin privileges. Workspace Control has six high-severity CVEs, all of which would allow locally authenticated users to upgrade their network privileges. ®

Updated to add on September 13

Ivanti says it's now seen exploitation of the CVE-2024-8190 flaw in the wild. "At the time of this update, we are aware of a limited number of customers who have been exploited," the vendor noted.

"Successful exploitation could lead to unauthorized access to the device running the CSA. Dual-homed CSA configurations with ETH-0 as an internal network, as recommended by Ivanti, are at a significantly reduced risk of exploitation."