Addressing four zero-days flaws (CVE-2024-38014, CVE-2024-38217, CVE-2024-43491, and CVE-2024-38217), this month’s Patch Tuesday release from Microsoft includes 79 updates to the Windows platform. No updates were issued for Microsoft Exchange Server or the company’s development tools like Visual Studio or .NET. Microsoft also remedied a recently exploited vulnerability in Microsoft Publisher by introducing two critical updates along with nine important patches for Microsoft Office.
Comprehensive testing is advised for this month’s Microsoft SQL Server patches, which impact both server and desktop components, particularly applications installations due to alterations in how Microsoft Installer manages modifications and installation reversals.
The team at Readiness has developed a helpful infographic that illustrates the risks linked with each update.
Microsoft consistently provides a list of known issues pertaining to the operating systems and platforms covered in each update, including the following two minor issues for September:
Due to recent changes to Windows Installer, User Account Control (UAC) does not prompt for credentials on application installation repairs. Once this update (September 2024) has been installed, UAC will again prompt properly. Your scripts will need to be updated if you have not already accounted for this change.
Though Microsoft has provided documentation on avoiding the issue by disabling this feature in UAC, we think this is a much-needed change and recommend following this latest best practice.
This month, Microsoft published the following major revisions to past security and feature updates, including:
Unusually, we have a patch revision that is not strictly documentation related. This month, it’s CVE-2024-38063 (Windows TCP/IP Remote Code Execution Vulnerability). Unlike other revisions, this latest version of a critical network patch will require testing as if it were a new update. System administrators need to take this latest patch revision seriously and test before (re)deployment.
Testing guidelines
Each month, the Readiness team conducts a thorough analysis of the updates released on Patch Tuesday. They provide comprehensive testing recommendations that are informed by the examination of a broad application inventory and an in-depth review of each patch and its likely effects.
For September, we have organized the essential updates and the related testing tasks into distinct product and functionality categories, as follows:
Several significant updates were released for the Microsoft SQL Server platform by Microsoft, impacting both Windows desktop environments and SQL Server configurations.
Due to the nature of this September SQL Server update, we highly recommend testing the patch itself and the patching process—with a focus on the patch REMOVAL process. We understand that this will require time, skill, and effort—but it will be preferable to a full restore from backup.
This month, Microsoft emphasized security enhancements in networking and memory handling with several updates to Windows:
There has been an important update to the MSI Installer (application installer) sub-system that necessitates application installation level testing for parts of your portfolio. This update alters how shell links are managed in the storage subsystem, possibly affecting redirected folders or shortcuts in unexpected ways during installations—especially in secure or restricted environments.
We recommend that installations, rollbacks, un-installations, and UAC checks be thoroughly validated this month. A good practice is to verify “zero” exit codes in the MSI Installer log entries.
This section includes crucial updates on service modifications, major feature reductions, and security enhancements for Windows desktop and server platforms.
This month, Microsoft has not released any mitigations or workarounds.
Monthly updates are categorized into product families (as per Microsoft’s definition) with these basic classifications:
The synchronization of updates for Microsoft’s Edge browser with Patch Tuesday has ceased. There are multiple updates to the Chromium-based version of Microsoft’s browser targeting certain reported vulnerabilities:
Once we complete the Microsoft updates, we can turn our attention to the Chromium patches:
Upon evaluating the potential compatibility issues arising from these updates, it appears that neither the Edge update nor the Chromium changes should pose significant concerns for most enterprise deployments. Include these browser updates in your regular deployment cycle.
Windows
Microsoft has rolled out two critical updates for the Windows platform (CVE-2024-38119 and CVE-2024-43491) along with 43 other patches deemed important. The updates have affected various Windows features.
The real concern is that three of these vulnerabilities (CVE-2024-38014, CVE-2024-38217, CVE-2024-43491) have been reported as exploited. Additionally, another vulnerability in the Windows HTML subsystem (CVE-2024-38217) has been publicly disclosed. Given these four zero-days, we recommend incorporating these Windows updates into your Patch Now release schedule.
Microsoft addressed two critical vulnerabilities in the SharePoint platform (CVE-2024-38018 and CVE-2024-43464) that demand immediate action. Additional updates, rated important, affect Microsoft Office, Publisher, and Visio. Notably, CVE-2024-38226, impacting Publisher, has been reported as exploited in the wild. If Publisher is not part of your application portfolio, consider adding these updates to your regular patching cycle.
This month also sees a substantial update to the Microsoft SQL Server platform with fifteen updates, all rated as important. No public disclosures or active exploits have been reported yet. These patches address a wide range of vulnerabilities:
Given the significant testing profile required this month, impacting both server and desktop systems, we suggest including these SQL Server patches in your standard release schedule.
No updates have been made to any development tools or features (such as Microsoft Visual Studio or .NET) this month.
This month, there’s a change in how updates are handled for Adobe Reader. Typically, Microsoft incorporates an Adobe Reader update within their updates for Windows, but not this time.
Adobe Reader has received an update (APSB24-70), yet it was not included in Microsoft’s rollouts. The latest update for Adobe Reader fixes two critical memory-related security issues and should be integrated into your routine application update processes.
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
