Microsoft released critical security updates in the September 2024 Patch Tuesday update to address four remote code vulnerabilities and three elevation of privileges vulnerabilities. These vulnerabilities are considered critical as exploits are already in the wild.
Windows 11 version 24H2, set to be released later this year, will also receive necessary patches along with all current operating system releases. Users of new CoPilot+ PCs are advised to apply the Patch Tuesday fixes to ensure their devices are fully protected.
One of the critical vulnerabilities, CVE-2024-38014, affects Windows Installer, allowing attackers to gain system privileges and take control of the machine. Another critical flaw, CVE-2024-43491, impacts Windows Update functionality, enabling remote code execution.
Microsoft has also addressed CVE-2024-38018, a critical remote code vulnerability affecting Microsoft Sharepoint server. SharePoint admins may encounter issues requiring additional workarounds post-patch application.
Additionally, the Windows Network Address Translation (NAT) system (CVE-2024-38119) has a remote code vulnerability that requires network access for successful exploitation. Two critical privilege elevation flaws, CVE-2024-38216 and CVE-2024-38220, impact Azure Stack Hub, allowing unauthorized access to system resources.
Furthermore, an improper authorization vulnerability in Azure Web Apps may be exploited by authenticated attackers to elevate privileges over a network. The US Cyber Security and Infrastructure Security Agency has urged users to patch all critical Windows vulnerabilities by 1 October 2024.