TechSeptember Windows update boosts security with key fixes

September Windows update boosts security with key fixes

The September Windows update package seems less urgent than recent ones, but it still delivers important security fixes. One notable component being patched is the Windows Update itself.

Windows Update
Windows Update
Images source: © Licensor | Kamil Dudek
Kamil J. Dudek

The most significant fix is the cumulative update for Windows 10, which addresses vulnerability CVE-2024-43491. This vulnerability is related to improper handling of optional components during the installation of the servicing stack update. The high complexity of the Windows Update service and its local installer (TrustedInstaller) led to faulty update application.

The problem would have been serious (unpatched vulnerabilities despite installed fixes) if it had affected more systems. However, the bug in Windows Update only affects version 2015 LTSB, which is the oldest compilation of Windows 10 in the Enterprise version. Interestingly, the automatic update client for Microsoft's Mac systems also received a patch (CVE-2024-43492).

TCP/IP

Among the vulnerabilities being addressed, two flaws in TCP/IP stand out. These flaws allow control of the computer through the transmission of a malicious packet. Recently, such a problem was very serious and related to IPv6. Flaws in the network stack itself are dangerous and cannot be mitigated by a firewall that operates "higher up."

This time, however, the TCP/IP flaws (CVE-2024-21416 and CVE-2024-38045) involve non-standard configurations (NetNAT service) in unusually behaving networks, requiring detailed knowledge of the attacked system. Therefore, it is a much smaller issue than the "touch-free" hole in the IPv6 implementation.

Libarchive

Windows also received a fix related to the libarchive component, which provides RAR archive support (CVE-2024-43495). It was possible to execute code during the decompression of a malicious archive. Although the issue concerns libarchive, it seems to be limited to Windows. Libarchive itself released a new version in April.

This time, Microsoft correctly calculated vulnerability metrics, describing it as local and not network-based only because "a malicious file must be downloaded." However, this doesn't mean the end of issues with Microsoft's vulnerability assessments, as the hole in MMC, CVE-2024-38259, undoubtedly local, was described as potentially exploitable remotely.

The update for Windows 10 weighs 1.5GB, for Windows 11 - 1.6GB, and the set of fixes for the yet-to-be-released official version 24H2 is 1.1GB. As usual, the largest update was prepared for Windows Server 2016. All patches are available in the Microsoft Update Catalog, but of course, they will be automatically downloaded by Automatic Updates.

© Daily Wrap
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.