Source URL: https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/
Source: The Register
Title: Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack
Feedly Summary: CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities
Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address.…
AI Summary and Description: Yes
**Summary:**
The text highlights critical vulnerabilities disclosed in the latest Microsoft Patch Tuesday, affecting various products including Windows, Office, and Azure. It details specific CVEs (Common Vulnerabilities and Exposures) that are actively being exploited, along with their severity ratings. This information is crucial for security professionals, as it informs them of current threats and necessary updates to maintain the security of their systems.
**Detailed Description:**
The information presented in this text is significant for professionals in security, privacy, and compliance, notably in the domains of infrastructure and software security. The following areas are thoroughly addressed:
– **Patch Tuesday Overview**:
– Microsoft released updates to address over 70 security flaws across its product line.
– Notable vulnerabilities are classified with CVSS (Common Vulnerability Scoring System) scores indicating the severity of the issues.
– **Active Exploits**:
Several vulnerabilities are already being exploited:
– **CVE-2024-38014**: A severe privilege escalation in Windows Installer (CVSS score: 7.8).
– **CVE-2024-38226**: A security bypass in Microsoft Publisher affecting Office 2016, 2019, and 2021 (CVSS score: 7.4).
– **CVE-2024-38217**: Exploit allows bypassing Microsoft’s Mark of the Web software identification (CVSS score: 5.4).
– **Specific Vulnerability Details**:
– **CVE-2024-43491**: Extremely high severity (CVSS 9.8), could allow a rollback of security updates on unsupported Windows 10 versions, exposing systems to risks.
– Microsoft has recommended immediate updates to mitigate these security issues.
– **Azure and Other Software Vulnerabilities**:
– Critical vulnerabilities in Azure services noted, including elevation of privilege flaws and remote code execution risks.
– Issues with Adobe and Intel software were also highlighted, marking their severity and suggesting remediation steps.
– **Deployment and Follow-up Actions**:
– Prompt actions are recommended, including installing security updates in the given order to ensure comprehensive protection after known vulnerabilities are patched.
– **Regulatory and Governance Implications**:
– Active management of vulnerabilities correlates to compliance with numerous regulations regarding data protection and cybersecurity governance. Organizations need to be vigilant in tracking and applying updates to meet compliance standards.
– **CISA Warnings**:
– The US Cybersecurity and Infrastructure Security Agency (CISA) has provided advisories urging organizations to review vulnerabilities in widely used software, thereby reinforcing the necessity for continuous risk assessment strategies.
**Key Insights for Professionals**:
– The text emphasizes the necessity for proactive security management following new patches to avoid exploitation of vulnerabilities.
– Awareness and timely updates are crucial for compliance with security protocols to safeguard sensitive data within organizations.
– Security patches are critical components of an organization’s information security strategy, and the communication from CISA highlights the shared responsibility in protecting digital infrastructure.
By keeping abreast of these developments, security professionals can better safeguard their organizations against prevalent and emerging threats.