September 2024 Patch Tuesday forecast: Downgrade is the new exploit
September 2024 Patch Tuesday is now live:
Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes
I asked for a calm August 2024 Patch Tuesday in last month’s forecast article and that came to pass.
The updates released were limited to the regular operating systems and all forms of Office applications. Six zero-day vulnerabilities were announced, with five in the operating systems and one in the Office applications. There were 63 CVEs addressed in the Windows 10 operating systems and associated servers and 55 CVEs addressed in Windows 11. Overall, it was a straightforward set of updates to deploy, but several issues were identified over the past month, which Microsoft has acknowledged and is working on. They should be addressed in the upcoming September releases.
Windows Downdate downgrade attack
The Windows Downdate downgrade attack deserves some attention this month. At Black Hat USA 2024, Alon Leviev revealed an exploit using CVE-2024-38202 and CVE-2024-21302 which takes over Windows Update and then downgrades the operating system to a previous version. This exposes all the vulnerabilities that had been reported and fixed in newer versions.
This could expose a system to hundreds of now ‘zero-day’ vulnerabilities, yet the system appears to be fully patched. Microsoft addressed CVE-2024-21302 with the August 2024 Patch Tuesday updates, but they could only provide mitigation guidance for CVE-2024-38202 in a security advisory. We’ll see if there is a KB that can give a patch solution for this CVE this month.
Microsoft confirmed several reported issues throughout the month about the August updates. They added a comment to KB5041578 for Server 2019 noting that after installing the August update you can experience slowdowns, unresponsiveness, and high CPU usage.
The temporary workaround for this issue is to use the Known Issue Rollback (KIR) policy and that they are working on a fix. Microsoft also acknowledges that following the August updates you may “face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device.” This comment was added to KBs for Microsoft Servers 2016, 2019, and 2022. Again, there is a workaround, and they are working on a resolution. These issues may be resolved with the September updates.
Final Windows updates
There are a few items of general interest to note. Keep in mind, the final updates for Windows 11, 21H2 Enterprise and Education versions, and Windows 11 22H2 Home and Professional are coming in October. You should be planning to upgrade to a newer version to ensure you have security updates available after October. For those of you still dealing with the Windows Recovery Environment (WinRE) partition error with not enough space, Microsoft has updated the January patches to not install if the partition is too small thus avoiding the cryptic error message.
Now per Microsoft, ‘The WinRE partition requires 250 megabytes of free space. Devices which do not have sufficient free space will need to increase the size of the partition via manual action.’ So you will need to manually update the partition size or use the recommended script prior to installing these ‘new’ updates.
September 2024 Patch Tuesday forecast
- Microsoft will release the standard operating system, Office, Sharepoint, and perhaps a .NET framework or SQL update this month.
- Adobe released a major security update for Acrobat and Reader last patch Tuesday, so I don’t expect any updates this month.
- Apple released OS updates the first week of August but did not include any CVE information. While Apple doesn’t generally release on Patch Tuesday, the last security update was in July so we are due for another update soon.
- Google Chrome provided a fix for their 10th zero-day exploit last week. While we may not see another zero-day exploit, expect Google to have an update next week as usual.
- Mozilla released security updates for Firefox 130, Firefox ESR 115 and 128 earlier this week. If you are a Thunderbird user, I’d expect another update any day now.
Summer doesn’t officially end until later this month, but for many of us we associate the end of summer with the new school year. The lazy days of summer may be over (we did have an easy August Patch Tuesday), but let’s hope they last one more month!