September Windows update boosts security with key fixes

The September Windows update package seems less urgent than recent ones, but it still delivers important security fixes. One notable component being patched is the Windows Update itself.

The most significant fix is the cumulative update for Windows 10, which addresses vulnerability CVE-2024-43491. This vulnerability is related to improper handling of optional components during the installation of the servicing stack update. The high complexity of the Windows Update service and its local installer (TrustedInstaller) led to faulty update application.

The problem would have been serious (unpatched vulnerabilities despite installed fixes) if it had affected more systems. However, the bug in Windows Update only affects version 2015 LTSB, which is the oldest compilation of Windows 10 in the Enterprise version. Interestingly, the automatic update client for Microsoft's Mac systems also received a patch (CVE-2024-43492).

Among the vulnerabilities being addressed, two flaws in TCP/IP stand out. These flaws allow control of the computer through the transmission of a malicious packet. Recently, such a problem was very serious and related to IPv6. Flaws in the network stack itself are dangerous and cannot be mitigated by a firewall that operates "higher up."

This time, however, the TCP/IP flaws (CVE-2024-21416 and CVE-2024-38045) involve non-standard configurations (NetNAT service) in unusually behaving networks, requiring detailed knowledge of the attacked system. Therefore, it is a much smaller issue than the "touch-free" hole in the IPv6 implementation.

Windows also received a fix related to the libarchive component, which provides RAR archive support (CVE-2024-43495). It was possible to execute code during the decompression of a malicious archive. Although the issue concerns libarchive, it seems to be limited to Windows. Libarchive itself released a new version in April.

This time, Microsoft correctly calculated vulnerability metrics, describing it as local and not network-based only because "a malicious file must be downloaded." However, this doesn't mean the end of issues with Microsoft's vulnerability assessments, as the hole in MMC, CVE-2024-38259, undoubtedly local, was described as potentially exploitable remotely.

The update for Windows 10 weighs 1.5GB, for Windows 11 - 1.6GB, and the set of fixes for the yet-to-be-released official version 24H2 is 1.1GB. As usual, the largest update was prepared for Windows Server 2016. All patches are available in the Microsoft Update Catalog, but of course, they will be automatically downloaded by Automatic Updates.