September 10, 2024

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

By far the most curious security weakness Microsoft disclosed today has the snappy name of CVE-2024-43491, which Microsoft says is a vulnerability that led to the rolling back of fixes for some vulnerabilities affecting “optional components” on certain Windows 10 systems produced in 2015. Those include Windows 10 systems that installed the monthly security update for Windows released in March 2024, or other updates released until August 2024.

Satnam Narang, senior staff research engineer at Tenable, said that while the phrase “exploitation detected” in a Microsoft advisory normally implies the flaw is being exploited by cybercriminals, it appears labeled this way with CVE-2024-43491 because the rollback of fixes reintroduced vulnerabilities that were previously know to be exploited.

“To correct this issue, users need to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates,” Narang said.

Kev Breen, senior director of threat research at Immersive Labs, said the root cause of CVE-2024-43491 is that on specific versions of Windows 10, the build version numbers that are checked by the update service were not properly handled in the code.

“The notes from Microsoft say that the ‘build version numbers crossed into a range that triggered a code defect’,” Breen said. “The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state.”

Zero Day #1 this month is CVE-2024-38226, and it concerns a weakness in Microsoft Publisher, a standalone application included in some versions of Microsoft Office. This flaw lets attackers bypass Microsoft’s “Mark of the Web,” a Windows security feature that marks files downloaded from the Internet as potentially unsafe.

Zero Day #2 is CVE-2024-38217, also a Mark of the Web bypass affecting Office. Both zero-day flaws rely on the target opening a booby-trapped Office file.

Security firm Rapid7 notes that CVE-2024-38217 has been publicly disclosed via an extensive write-up, with exploit code also available on GitHub.

According to Microsoft, CVE-2024-38014, an “elevation of privilege” bug in the Windows Installer, is also being actively exploited.

June’s coverage of Microsoft Patch Tuesday was titled “Recall Edition,” because the big news then was that Microsoft was facing a torrent of criticism from privacy and security experts over “Recall,” a new artificial intelligence (AI) feature of Redmond’s flagship Copilot+ PCs that constantly takes screenshots of whatever users are doing on their computers.

At the time, Microsoft responded by suggesting Recall would no longer be enabled by default. But last week, the software giant clarified that what it really meant was that the ability to disable Recall was a bug/feature in the preview version of Copilot+ that will not be available to Windows customers going forward. Translation: New versions of Windows are shipping with Recall deeply embedded in the operating system.

It’s pretty rich that Microsoft, which already collects an insane amount of information from its customers on a near constant basis, is calling the Recall removal feature a bug, while treating Recall as a desirable feature. Because from where I sit, Recall is a feature nobody asked for that turns Windows into a bug (of the surveillance variety).

When Redmond first responded to critics about Recall, they noted that Recall snapshots never leave the user’s system, and that even if attackers managed to hack a Copilot+ PC they would not be able to exfiltrate on-device Recall data.

But that claim rang hollow after former Microsoft threat analyst Kevin Beaumont detailed on his blog how any user on the system (even a non-administrator) can export Recall data, which is just stored in an SQLite database locally.

As it is apt to do on Microsoft Patch Tuesday, Adobe has released updates to fix security vulnerabilities in a range of products, including Reader and Acrobat, After Effects, Premiere Pro, Illustrator, ColdFusion, Adobe Audition, and Photoshop. Adobe says it is not aware of any exploits in the wild for any of the issues addressed in its updates.

Seeking a more detailed breakdown of the patches released by Microsoft today? Check out the SANS Internet Storm Center’s thorough list. People responsible for administering many systems in an enterprise environment would do well to keep an eye on AskWoody.com, which often has the skinny on any wonky Windows patches that may be causing problems for some users.

As always, if you experience any issues applying this month’s patch batch, consider dropping a note in the comments here about it.


28 thoughts on “Bug Left Some Windows PCs Dangerously Unpatched

  1. Retired Geek

    I have an older Win10 PC that cannot run Win 11. I have not yet tried to install this month’s updates. What is the fastest way to install these monthly updates from Microsoft? It takes me at least 2 or 3 hours each month, not including time to backup the system.

    Reply
    1. Mikey J

      I’m in the same “boat” Retired Geek. NO WAY to expedite the updates’ download time even with the bestest, fastest router, modem, ISP (mine’s COX), etc., and, depending on the size of the “update files” 2-3 hours is pretty typical on our old “dinosaurs”. W10’s “longevity” (M$ $upport) expires October, 2025. Time for a new PC for me. No guarantee that Micro$oft fails will EVER go away but for now…..I know…..sheesh……feeling your pain…..get EVERYTHING backed-up first as always.

      Reply
      1. Lyndon G

        > W10’s “longevity” (M$ $upport) expires October, 2025. Time for a new PC for me.

        I’ve been wondering whether we can replace Windows with Linux and save the cost of all new machines. I bought a refurbished Toshiba laptop from eBay for $100-$150 and installed Ubuntu on it. I have a few weird issues. The onscreen keyboard kept popping up, but I found a Gnome extension that disabled it. When I wake up the computer, the mouse cursor won’t move until I click. But otherwise it seems to work well so far. I installed an unofficial compatibility layer someone published to run Minecraft Bedrock on Linux, and that’s been the computer’s primary use ever since.

        Reply
    2. MrUpdate

      Manually download and install the latest SSU (servicing stack) and CU (cumulative update) from the update catalog, make sure you have the right build and architecture.
      However, Windows makes it extremely difficult to disable update checking entirely, even with group policy, the Windows Update service WILL maliciously start itself after explicitly disabling it.

      Reply
  2. Mike Butash

    Stop installing by default Adobe anything, Oracle Java, all that garbage of the last era, and do yourself a favor. At least Flash died eventually.

    If users need them, find out why, and point them at a better or open-source solution.

    Better yet, stop installing windows.

    Reply
    1. Wannabe Techguy

      “Better yet, stop installing windows”. Best advice yet. I got off that mess in 2012.

      Reply
    2. Scott Barning

      I would love to stop installing Windows, but unfortunately it is functionally impossible to move away from it in certain business environments at this point in time.

      Read: Any business that’s dependent on AutoDesk, Adobe, or Intuit products. Which you’ll find is a STAGGERING percentage of the businesses out there.

      Reply
  3. mealy

    There will surely be a way to disable Recall whether M$ agrees to allow it or not, and just as surely they will be locked in a monthly arms race against the user base in trying to re-force it on them, just like they did W11 itself. Bastards.

    Reply
    1. Maxax

      They’ll certainly have to offer some setting to disable it for EU users.
      For other users. No luck, just have to “format C:” and install some other decent OS.

      Reply
    1. Julian N

      Fully agree – with the added bonus, certainly on my fully hardware compliant Windows 11 machine, it is more stable.

      Now I restart the machine when I patch a new kernel – I do not have crashes every 2 or 3 days.

      Reply
  4. Ted D

    I have several older computers (because I’m cheap). Maxing out memory and changing to an SSD help considerably. I installed Linux Mint on a Late 2010 MacBook Air (inherited from my wife), and so far, it’s working very nicely.

    Reply
  5. santa claus

    mac pc, parallels, windows – “…better ingredients, better pizza…”

    Reply
  6. Ron

    I do not want Copilot or Recall
    Who asked for this?
    Our devices are just a monitoring device for the STATE

    Reply
  7. JohnIL

    Was running Windows 10 on a older 8th gen Intel desktop, but decided since I could upgrade to Windows 11 I did. I figure Microsoft considers Windows 10 a sort of legacy release now and could care less and less about fixing it. I am not exactly thrilled with Windows 11, but its got most of Microsoft’s attention these days.

    Reply
  8. Lynn Sattler

    For those feeling stuck on older hardware still running windows 10 because of Microsoft’s hardware requirements, be aware that you can upgrade to windows 11 fully legally and without breaking any Microsoft rules.

    I did this on a 10 year old I3 machine with 6gb of ram a few months ago. Windows updates automatically continue to run just fine monthly and windows defender updates come through nearly daily just fine also. The only downside I am aware of is that once you upgrade to let’s say windows 23h2, windows will not automatically try to take the machine to windows 24h2 when it comes out. You will need to do that type of upgrade manually using these same instructions. Microsoft is supporting windows 11 sub releases (like win11 23h2) for 2 years after they come out.

    My memory is there are 2 requirements to do the upgrade: at least tpm ver 1 and a uefi boot machine (not a master boot machine)

    Here is where I got the instructions:
    https://dongknows.com/steps-for-windows-11-upgrade-on-unsupported-hardware/

    Here are my notes on what I did and where I got good information:
    https://lsattle.wordpress.com/2024/09/11/windows-11-upgrading-older-hardware-to-windows-11-and-not-braking-any-rules/

    Reply
    1. Fr00tL00ps

      Thank you Lynn, Bravo. This is an excellent post and should be pinned to the top so it gets more attention. These resources/links pretty much cover everything you need to know to get Win 11 running on older hardware particularly those on a tight budget who possess a DIY mindset. It is not hard, just follow the instructions.
      For context I refuse to replace my Mothers 12 year old Asus N53SV laptop (2nd Gen i5 & 8Gb RAM). It was purchased with Vista and over the years has since had Win 7, Win 10 and currently Win 11 and Office 2007 installed, all with the same product key/s. The only hardware mods it has received is 4Gb extra RAM, an SSD and USB wifi adapter prior to Win 10 fresh install and it has never missed a beat.
      Admittedly I am an IT professional and she has very basic needs ie. email, social media and solitaire, but regardless it is still possible. Even paying your local IT technician would be cheaper than purchasing a new machine.
      Some other points to consider which aren’t mentioned in your links;
      * Win 11 is resource hungry so adding extra RAM would be a benefit.
      * Likewise, replace/upgrade OS HDD to an equivalent SSD.
      * Disconnect internet cable/wifi connection prior to install. This will force Windows to create a local user account to login rather than signing in with a Microsoft account, which you DO NOT need.
      * Once logged in, change two power settings;
      a. create custom power profile and set it to high performance (Microsofts default settings may cause performance issues on older hardware)
      b. disable fast startup. (Caching previous sessions can be a security issue and if you have an SSD there will be negligible gain)
      * Chris Titus Tech’s Windows Utility is an amazing open source tool for home users and it costs nothing. A single Powershell command allows you to; Bulk install/update all your commonly used standard software via Winget. Debloat all your unwanted Microsoft crapware/telemetry/utilities. Tweak many hard to find settings such as Windows updates and repositioning the start button. Watch videos at these links;
      https://christitus.com/windows-tool/
      https://christitus.com/windows-utility-improved/

      Reply
    2. RK

      ” Windows updates automatically continue to run just fine monthly and windows defender updates come through nearly daily just fine also.”
      That is the issue I had been wondering about. This is the first time I’ve heard any confirmation that patch Tuesday updates still come through. So, I guess the question is, will MS continue to do that? You would think so, but I believe they have been mum about it.

      There is another option if one wishes to keep W10. 0patch promises to “security adopt” W10 for at least 5 years beyond Oct 2025. The service runs about $25/year which is way cheaper than a new computer. They are continuing to support W7, AND Office 2013 and 2010. https://blog.0patch.com/2024/06/long-live-windows-10-with-0patch.html
      This is what I am intending to do. It would be nice to have a newer, more security hardened cpu, but they’re finding vulnerabilites in those, too. So I’m planning to hang tight with my current machine for the forseeable future.

      As far as Linux, yes that is an option, but it’s not for everybody or every situation.

      Reply
    3. OldNavyGuy

      The problem is that folks don’t know if Microsoft will shut that down at some point in the future.

      If we go past EOL on Windows 10, we’ll subscribe to 0patch for updates.

      Otherwise, we’ll purchase new hardware when we’re ready to upgrade to Windows 11.

      Reply
      1. mealy

        You’ve seen the “downgrading” attacks where “updates” are basically removed so the vuln reemerges, right? How can we be sure 0patch is not similarly susceptible to such a vector? Or that updates themselves won’t contain some additional vulns or sideloading beyond what M$ set out with initially? Lastly, what country does 0patch operate out of, do you know? It’s kind of a leap of faith even for someone who foolishly trusted M$.

        Reply
  9. Frank Wiltshire

    “Some versions” – more like one version and millions of computers.
    Only by the Grace of God didn’t the world stop.

    Reply
  10. Harpy

    As soon as Windows kicks me off 10 I’m moving over to Linux. I’m tired of their spyware, bloatware and complete disregard for their customers wishes.

    Reply
  11. Giving Recall the Boot

    Brian,
    Thank you very much for all your articles. I especially appreciate this one and the June “Recall Edition” because they represent a tipping point for me to make the move to Apple. I have used Microsoft Windows PCs in the workplace from the beginning of my career some 40 years ago when the IBM PC first came out. I have also bought and used Microsoft Windows PCs and Microsoft Office software for home use, because it was easy to use the same tools in both places. But the outrageous act by Microsoft of embedding Recall with screen capture in the ways you describe grossly violates my sense of computer security and my careful protection of home PCs. It sounds like they want to collect masses of data for feeding their AI, regardless of my need to keep the most sensitive information private. They go too far for me this time. I will bite the porting bullet and learning curve and plan on moving out of their reach.

    Reply
  12. Felipe LR

    Well, so far I have not had any problems with Windows 11, I currently use Kaspersk as an antivirus and the truth is that it has worked well for me, I hope nothing serious happens at some point

    Reply
  13. Tim

    Imagine the wailing, screaming, and gnashing of teeth when Russia (First, probably), then the CCP, find out how to exfiltrate the images from MS Recall, and start posting them online!

    Reply
  14. Catwhisperer

    Well, I’m glad cell phone manufacturers and app developers didn’t follow this route, of only really supporting one operating system… {sound of insane cackling in background}

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *