September Windows update patches critical security vulnerabilities

The September Windows update package appears less urgent than some recent ones, yet it still delivers crucial security fixes. Notably, one of the components being patched is Windows Update itself.

The most significant fix is the cumulative update for Windows 10, which addresses vulnerability CVE-2024-43491. This vulnerability stems from improper handling of optional components during the installation of the servicing stack update. The complexity of the Windows Update service and its local installer (TrustedInstaller) led to scenarios where applying updates was faulty.

If it affected more systems, the problem would have been very serious (unpatched vulnerabilities despite installed fixes). However, the bug in Windows Update only impacts version 2015 LTSB, the oldest compilation of Windows 10 in the Enterprise version. Interestingly, the automatic update client for Microsoft's Mac systems also received a patch (CVE-2024-43492).

Among the vulnerabilities being addressed, two flaws in TCP/IP stand out. These flaws allow control of the computer through the transmission of a malicious packet. Recently, such a severe problem was related to IPv6. Flaws in the network stack itself are dangerous and cannot be mitigated by a firewall that operates "higher up."

This time, however, the TCP/IP flaws (CVE-2024-21416 and CVE-2024-38045) involve non-standard configurations (NetNAT service) in unusually behaving networks, requiring detailed knowledge of the attacked system. Therefore, it is a much more minor issue than the "touch-free" hole in the IPv6 implementation.

Windows also received a fix related to the libarchive component, which provides RAR archive support (CVE-2024-43495). It was possible to execute code during the decompression of a malicious archive. Although the issue concerns libarchive, it seems to be limited to Windows. Libarchive itself released a new version in April.

Microsoft correctly calculated the vulnerability metrics this time, describing it as local rather than network-based only because "a malicious file must be downloaded." However, this doesn’t mean the end of issues with Microsoft's vulnerability assessments, as the hole in MMC, CVE-2024-38259, undoubtedly local, was described as potentially exploitable remotely.

The update for Windows 10 weighs 1.5GB, for Windows 11 – 1.6GB, and the set of fixes for the yet-to-be-released official version 24H2 is 1.1GB. As usual, the largest update was prepared for Windows Server 2016. All patches are available in the Microsoft Update Catalog, but of course, they will be automatically downloaded by Automatic Updates.