TechSeptember Windows update patches critical security vulnerabilities

September Windows update patches critical security vulnerabilities

The September Windows update package appears less urgent than some recent ones, yet it still delivers crucial security fixes. Notably, one of the components being patched is Windows Update itself.

Windows Update
Windows Update
Images source: © GETTY | CFOTO

The most significant fix is the cumulative update for Windows 10, which addresses vulnerability CVE-2024-43491. This vulnerability stems from improper handling of optional components during the installation of the servicing stack update. The complexity of the Windows Update service and its local installer (TrustedInstaller) led to scenarios where applying updates was faulty.

If it affected more systems, the problem would have been very serious (unpatched vulnerabilities despite installed fixes). However, the bug in Windows Update only impacts version 2015 LTSB, the oldest compilation of Windows 10 in the Enterprise version. Interestingly, the automatic update client for Microsoft's Mac systems also received a patch (CVE-2024-43492).

TCP/IP

Among the vulnerabilities being addressed, two flaws in TCP/IP stand out. These flaws allow control of the computer through the transmission of a malicious packet. Recently, such a severe problem was related to IPv6. Flaws in the network stack itself are dangerous and cannot be mitigated by a firewall that operates "higher up."

This time, however, the TCP/IP flaws (CVE-2024-21416 and CVE-2024-38045) involve non-standard configurations (NetNAT service) in unusually behaving networks, requiring detailed knowledge of the attacked system. Therefore, it is a much more minor issue than the "touch-free" hole in the IPv6 implementation.

Libarchive

Windows also received a fix related to the libarchive component, which provides RAR archive support (CVE-2024-43495). It was possible to execute code during the decompression of a malicious archive. Although the issue concerns libarchive, it seems to be limited to Windows. Libarchive itself released a new version in April.

Microsoft correctly calculated the vulnerability metrics this time, describing it as local rather than network-based only because "a malicious file must be downloaded." However, this doesn’t mean the end of issues with Microsoft's vulnerability assessments, as the hole in MMC, CVE-2024-38259, undoubtedly local, was described as potentially exploitable remotely.

The update for Windows 10 weighs 1.5GB, for Windows 11 – 1.6GB, and the set of fixes for the yet-to-be-released official version 24H2 is 1.1GB. As usual, the largest update was prepared for Windows Server 2016. All patches are available in the Microsoft Update Catalog, but of course, they will be automatically downloaded by Automatic Updates.

Related content
© essanews.com
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.