September 10, 2024, marked another Patch Day—the second Tuesday of the month when Microsoft rolls out its security updates for Windows. This latest update addresses 79 security vulnerabilities, with the majority categorized as “critical” or “high risk.” Notably, four of these vulnerabilities are already being exploited in the wild, underscoring the urgency to apply these updates promptly.
The vulnerabilities span across multiple Windows versions, including Windows 10, Windows 11, and Windows Server, with a total of 67 issues reported for these systems. Windows 7 and 8.1 are no longer featured in the security reports, suggesting they might still be vulnerable. If possible, consider upgrading to Windows 10 (22H2) or Windows 11 (23H2) to ensure you receive ongoing security updates, though Windows 11 is the preferred choice as Windows 10 support will end in 2025.
The update also includes improvements for Windows 11 24H2, which is currently being tested with Insiders but is not yet available to the public. Users still on Windows 11 22H2 should upgrade to 23H2 to avoid a forced update later, as Windows 11 22H2 will receive its final security update on October 8, 2024.
Among the zero-day vulnerabilities patched, several are already known to be exploited. Microsoft’s update guide offers limited details, but blog posts from experts like Dustin Childs indicate that some, like CVE-2024-43461, are being used in the wild. CVE-2024-38217, a Security Feature Bypass vulnerability, and CVE-2024-43491, a Remote Code Execution issue, are particularly noteworthy. The latter affects older Windows 10 versions and requires sequential updates to resolve.
Other critical vulnerabilities include CVE-2024-38119, which affects Network Address Translation (NAT), and multiple Remote Code Execution (RCE) vulnerabilities across Windows Remote Desktop Services, Microsoft Management Console, and Power Automate for Desktop.
In Microsoft Office, 11 vulnerabilities were addressed, including a zero-day and two critical flaws. CVE-2024-38226, a Security Feature Bypass in Publisher, and several RCE vulnerabilities in SharePoint Server and Visio were also fixed. SQL Server saw 13 vulnerabilities patched, including six RCE issues.
The update for Microsoft Edge, version 128.0.2739.63, addresses some security issues, though detailed release notes are still awaited. Google’s Chrome also received a high-risk security update on September 10, which Microsoft has yet to address.