Adobe Patches for September 2024For September, Adobe released eight bulletins covering 28 CVEs in Adobe Acrobat and Reader, ColdFusion, Photoshop, Media Encoder, Audition, After Effects, Premier Pro, and Illustrator. A total of seven of these bugs came through the ZDI program. If you’re prioritizing, I would look at the ColdFusion patch first. It corrects a single code execution bug rated at CVSS 9.8. It’s unusual to see patches for Acrobat and Reader in back-to-back months, but I guess these two Critical-rated bugs were late for last month’s release. The fix for Photoshop fixes five CVEs, four of which are rated Critical. The Illustrator patch fixes six bugs, with four of those being Critical code execution bugsThe update for Premier Pro fixes one Critical and one Moderate bug. The fix for After Effects covers five bugs, including two from ZDI researcher Mat Powell. He’s also responsible for the Critical-rated bug in Audition. The final patch from Adobe covers five bugs in Media Encoder, two of which are rated Critical.None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.Microsoft Patches for September 2024This month, Microsoft released 79 new CVEs in Windows and Windows Components; Office and Office Components; Azure; Dynamics Business Central; SQL Server; Windows Hyper-V; Mark of the Web (MOTW); and the Remote Desktop Licensing Service. Four of these vulnerabilities were reported through the ZDI program.Of the patches being released today, seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The size of this release tracks with the volume we saw from Redmond last month, but again, it’s unusual to see such a high number of bugs under active attack.One of these CVEs is listed as publicly known, and four others are listed as under active attack at the time of release. However, we at the ZDI think that number should be five. More on that later. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerabilities currently being exploited:CVE-2024-43491 – Microsoft Windows Update Remote Code Execution VulnerabilityThis is an unusual bug. At first, it reads like a downgrade attack similar to the one discussed at Black Hat. However, it appears that this downgrade was introduced through updates to the Servicing Stack affecting Optional Components on Windows 10 systems. Admins will need to install both the servicing stack update (KB5043936) AND this security update (KB5043083) to fully address the vulnerability. It’s also interesting to note that while this particular bug isn’t being exploited in the wild, it allowed some of those Optional Components to be exploited. The only good news here is that only a portion of Windows 10 systems are affected. Check the write-up from Microsoft to see if you’re impacted, then test and deploy these updates quickly.CVE-2024-38226 – Microsoft Publisher Security Features Bypass Vulnerability  I’m always amazed by the ingenuity of attackers, be they red teamers or threat actors. Who would have thought to exploit macros in Microsoft Publisher? I had forgotten all about that program. But here we are. The attack involves specially crafted files being opened by affected Publisher versions. Obviously, an attacker would need to convince a target to open the file, but if they do, it will bypass Office macro policies and execute code on the target system.CVE-2024-38217 – Windows Mark of the Web Security Feature Bypass VulnerabilityWe’ve talked a lot about MoTW bypasses over the last several months, but it seems like there’s always more to say. This is one of two MoTW bypasses receiving fixes this month, but only this one is listed as under attack. Microsoft provides no details about the attacks, but in the past, MoTW bypasses have been associated with ransomware gangs targeting crypto traders. This bug is also listed as publicly known, but no information is provided about that detail either.CVE-2024-38014 – Windows Installer Elevation of Privilege Vulnerability  Here’s yet another privilege escalation bug that leads to SYSTEM being exploited in the wild. And not conjure Xzibit memes, but I think it’s great when attackers put an extra installer in the Installer. Interestingly, Microsoft states that no user interaction is required for this bug, so the actual mechanics of the exploit may be odd. Still, privilege escalations like this are typically paired with a code execution bug to take over a system. Test and deploy this fix quickly.CVE-2024-43461 – Windows MSHTML Platform Spoofing VulnerabilityThis bug is similar to the vulnerability we reported and was patched back in July. The ZDI Threat Hunting team discovered this exploit in the wild and reported it to Microsoft back in June. It appears threat actors quickly bypassed the previous patch. When we told Microsoft about the bug, we indicated it was being actively used. We’re not sure why they don’t list it as being under active attack, but you should treat it as though it were, especially since it affects all supported versions of Windows.Here’s the full list of CVEs released by Microsoft for September 2024: