After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?  

Patch Tuesday falls on the second Tuesday of every month. This is when, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?  

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday, unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

March 2025 Patch Tuesday

Security Updates Lineup

Here is a breakdown of the vulnerabilities fixed this month:

CVE IDs: 57

Republished CVE IDs: 10 (more details on this below)

Security updates were released for the following products, features, and roles:  

• Windows exFAT File System

• Azure Agent Installer

• Windows MapUrlToZone

• Windows Remote Desktop Services

• .NET

• Windows Win32 Kernel Subsystem

• Microsoft Streaming Service

• Role: Windows Hyper-V

• Azure CLI

• Windows Routing and Remote Access Service (RRAS)

• Windows NTLM

• Windows USB Video Driver

• Windows Telephony Server

• Microsoft Office

• Windows Common Log File System Driver

• Windows Mark of the Web (MOTW)

• Role: DNS Server

• Windows Kernel-Mode Drivers

• ASP.NET Core & Visual Studio

• Windows File Explorer

• Microsoft Local Security Authority Server (lsasrv)

• Windows Cross Device Service

• Microsoft Office Word

• Microsoft Office Excel

• Windows Subsystem for Linux

• Windows NTFS

• Windows Fast FAT Driver

• Azure PromptFlow

• Windows Kernel Memory

• Visual Studio

• Microsoft Windows

• Azure Arc

• Microsoft Office Access

• Visual Studio Code

• Microsoft Management Console

• Microsoft Edge (Chromium-based)

• Remote Desktop Client

Learn more in the MSRC’s release notes.

Details of the zero-day vulnerabilities

• CVE-2025-24983

Vulnerable Component: Windows Win32 Kernel Subsystem

Impact: Elevation of Privilege

CVSS 3.1: 7.0

Microsoft has resolved a security vulnerability that enabled local attackers to gain SYSTEM privileges through the exploitation of a race condition. Currently, specific details on the exploitation method have not been disclosed by Microsoft. The vulnerability was identified by Filip Jurčacko from ESET, and further information is anticipated to be released in due course.

• CVE-2025-24984

Vulnerable Component: Windows NTFS

Impact: Information Disclosure

CVSS 3.1: 4.6

This vulnerability can be exploited by attackers with physical access to the device by inserting a malicious USB drive. Exploiting this flaw enables attackers to read portions of heap memory and steal information. Microsoft notes that the vulnerability was disclosed anonymously.

• CVE-2025-24985

Vulnerable Component: Windows Fast FAT File System Driver

Impact: Remote Code Execution

CVSS 3.1: 7.8

A remote code execution vulnerability is present due to an integer overflow in the Windows Fast FAT Driver. Exploitation of this flaw requires an attacker to deceive a local user into mounting a specially crafted VHD. While Microsoft has not shared specific exploitation methods, it notes that malicious VHD images have been used in past phishing attacks and through pirated software. This vulnerability was disclosed anonymously.

• CVE-2025-24991

Vulnerable Component: Windows NTFS

Impact: Information Disclosure

CVSS 3.1: 5.5

Microsoft indicates that attackers can leverage this flaw to access small segments of heap memory and extract sensitive information. Exploitation involves deceiving a user into mounting a malicious VHD file. This vulnerability was disclosed anonymously.

• CVE-2025-24993

Vulnerable Component: Windows NTFS

Impact: Remote Code Execution

CVSS 3.1: 7.8

A heap-based buffer overflow vulnerability in Windows NTFS permits an attacker to execute arbitrary code. This flaw can be exploited by persuading a local user to mount a specially crafted VHD. The vulnerability was disclosed anonymously. 

• CVE-2025-26633

Vulnerable Component: Microsoft Management Console

Impact: Security Feature Bypass

CVSS 3.1: 7.0

This vulnerability allows malicious .msc files to bypass Windows security features and execute arbitrary code. Exploiting this flaw requires attackers to convince users to open a malicious file, typically distributed through email or instant messaging. While users cannot be compelled to view content controlled by an attacker, social engineering tactics may be employed. This vulnerability was discovered by Aliakbar Zahravi from Trend Micro, though specific exploitation details have not been disclosed.

• CVE-2025-26630

Vulnerable Component: Microsoft Access

Impact: Remote Code Execution

CVSS 3.1: 7.8

A use-after-free memory bug in Microsoft Office Access enables remote code execution. To exploit this flaw, an attacker would need to trick a user into opening a specially crafted Access file. This can be achieved through phishing or social engineering attacks, but the flaw cannot be exploited through the preview pane. Microsoft has not shared the details on who disclosed this flaw.

Republished CVE IDs

Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished ten CVE IDs. These are as follows:

• CVE-2024-9157

• CVE-2025-1914

• CVE-2025-1915

• CVE-2025-1916

• CVE-2025-1917

• CVE-2025-1918

• CVE-2025-1919

• CVE-2025-1921

• CVE-2025-1922

• CVE-2025-1923

Some third-party vendors such as Broadcom, Cisco, Google, and Ivanti have also released updates this month.

Best practices to handle patch management in a hybrid work environment  

Most organizations have opted to embrace remote work even after returning to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

• Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.

• Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.

• Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.

• Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.

• Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.

• Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.

• Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.

• Run patch reports to get a detailed view of the health status of your endpoints.

For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!

The post March Patch Tuesday comes with fixes for 57 vulnerabilities, including 7 zero-days appeared first on ManageEngine Blog.

After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?  

Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?  

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

February 2025 Patch Tuesday  

Security updates lineup  

Here is a breakdown of the vulnerabilities fixed this month:

CVE IDs: 55

Republished CVE IDs: 4 (more details on this below)

Security updates were released for the following products, features, and roles:

• Microsoft Dynamics 365 Sales

• Windows DHCP Client

• Windows Message Queuing

• Windows Resilient File System (ReFS) Deduplication Service

• Windows CoreMessaging

• Azure Network Watcher

• Windows Telephony Service

• Microsoft Surface

• Microsoft High Performance Compute Pack (HPC) Linux Node Agent

• Visual Studio

• Windows Routing and Remote Access Service (RRAS)

• Windows Internet Connection Sharing (ICS)

• Microsoft Edge for iOS and Android

• Outlook for Android

• Microsoft Edge (Chromium-based)

• Microsoft PC Manager

• Microsoft Windows

• Windows Update Stack

• Windows Remote Desktop Services

• Windows Kerberos

• Active Directory Domain Services

• Microsoft Office Excel

• Microsoft Office

• Microsoft Office SharePoint

• Windows DWM Core Library

• Windows Ancillary Function Driver for WinSock

• Windows Setup Files Cleanup

• Windows Disk Cleanup Tool

• Microsoft AutoUpdate (MAU)

• Visual Studio Code

Learn more in the MSRC’s release notes.

Details of the zero-day vulnerabilities  

• CVE-2025-21391

Vulnerable component: Windows Storage

Impact: Elevation of privilege

CVSS 3.1: 7.1

Microsoft has resolved a security flaw that was being actively exploited, which could allow attackers to gain higher privileges and delete files.

In its advisory, Microsoft explained that “The attacker would only be able to remove specific files on a system.” While this vulnerability doesn’t expose confidential data, it could result in the deletion of important files, potentially leading to service interruptions, Microsoft noted.

• CVE-2025-21418

Vulnerable component: Windows Ancillary Function Driver for WinSock

Impact: Elevation of privilege

CVSS 3.1: 7.8

The second vulnerability that is being actively exploited enables attackers to obtain SYSTEM privileges on Windows. Microsoft has not shared any details on how it was exploited in attacks, and the flaw was reported anonymously.

• CVE-2025-21194

Vulnerable component: Microsoft Surface

Impact: Security feature bypass

CVSS 3.1: 7.1

Microsoft has identified a hypervisor vulnerability that allows attackers to bypass UEFI and potentially compromise the secure kernel. According to the advisory, the flaw affects Virtual Machines on UEFI host machines, with some hardware potentially allowing UEFI bypass. This could lead to the hypervisor and secure kernel being compromised.

• CVE-2025-21377

Vulnerable component: NTML Hash Disclosure

Impact: Spoofing

CVSS 3.1: 6.5

Microsoft has addressed a publicly disclosed vulnerability that exposes Windows users’ NTLM hashes, potentially allowing attackers to log in as the user remotely.

The advisory notes, “Minimal interaction with a malicious file, such as selecting (single-click), inspecting (right-click), or performing any action other than opening or executing the file, could trigger this vulnerability.”

Although Microsoft hasn’t revealed many details, the flaw likely works similarly to other NTLM hash disclosure issues.

Republished CVE IDs  

Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished four CVE IDs. These are as follows:

• CVE-2025-0444

• CVE-2023-32002

• CVE-2025-0445

• CVE-2025-0451

Some third-party vendors such as Adobe, Cisco, SAP, and Ivanti have also released updates this month.

Best practices to handle patch management in a hybrid work environment  

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

• Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.

• Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.

• Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.

• Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.

• Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.

• Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.

• Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.

• Run patch reports to get a detailed view of the health status of your endpoints.

For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!

The post February Patch Tuesday comes with fixes for 55 vulnerabilities, including 4 zero-days appeared first on ManageEngine Blog.

After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

January 2025 Patch Tuesday

Security updates lineup

Here is a breakdown of the vulnerabilities fixed this month:

CVE IDs: 159

Republished CVE IDs: 2 (more details on this below)

Security updates were released for the following products, features, and roles:

• .NET

• .NET and Visual Studio

• .NET, .NET Framework, Visual Studio

• Active Directory Domain Services

• Active Directory Federation Services

• Azure Marketplace SaaS Resources

• BranchCache

• Internet Explorer

• IP Helper

• Line Printer Daemon Service (LPD)

• Microsoft AutoUpdate (MAU)

• Microsoft Azure Gateway Manager

• Microsoft Brokering File System

• Microsoft Digest Authentication

• Microsoft Graphics Component

• Microsoft Office

• Microsoft Office Access

• Microsoft Office Excel

• Microsoft Office OneNote

• Microsoft Office Outlook

• Microsoft Office Outlook for Mac

• Microsoft Office SharePoint

• Microsoft Office Visio

• Microsoft Office Word

• Microsoft Purview

• Microsoft Windows Search Component

• Power Automate

• Reliable Multicast Transport Driver (RMCAST)

• Visual Studio

• Windows BitLocker

• Windows Boot Loader

• Windows Boot Manager

• Windows Client-Side Caching (CSC) Service

• Windows Cloud Files Mini Filter Driver

• Windows COM

• Windows Connected Devices Platform Service

• Windows Cryptographic Services

• Windows Digital Media

• Windows Direct Show

• Windows DWM Core Library

• Windows Event Tracing

• Windows Geolocation Service

• Windows Hello

• Windows Hyper-V NT Kernel Integration VSP

• Windows Installer

• Windows Kerberos

• Windows Kernel Memory

• Windows MapUrlToZone

• Windows Message Queuing

• Windows NTLM

• Windows OLE

• Windows PrintWorkflowUserSvc

• Windows Recovery Environment Agent

• Windows Remote Desktop Services

• Windows Secure Boot

• Windows Security Account Manager

• Windows Smart Card

• Windows SmartScreen

• Windows SPNEGO Extended Negotiation

• Windows Telephony Service

• Windows Themes

• Windows UPnP Device Host

• Windows Virtual Trusted Platform Module

• Windows Virtualization-Based Security (VBS) Enclave

• Windows Web Threat Defense User Service

• Windows Win32K – GRFX

• Windows WLAN Auto Config Service

Learn more in the MSRC’s release notes.

Details of the zero-day vulnerabilities

• CVE-2025-21333, CVE-2025-21334, CVE-2025-21335

Vulnerable component: Windows Hyper-V NT Kernel Integration VSP

Impact: Elevation of privilege

CVSS 3.1: 7.8

These vulnerabilities allow attackers to execute arbitrary code with elevated privileges on affected systems. Per Microsoft, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

While these vulnerabilities are being actively exploited, these haven’t been publicly disclosed before.

• CVE-2025-21186,  CVE-2025-21366, CVE-2025-21395

  Vulnerable component: Microsoft Access

  Impact: Remote Code Execution

  CVSS 3.1: 7.8

 As of now, the vulnerabilities have been publicly disclosed, but there have been no recorded instances of exploitation. The updates released potentially block certain types of malicious extensions from being sent via email. The extensions are:

• accdb

• accde

• accdw

• accdt

• accda

• accdr

• accdu

• CVE-2025-21308

Vulnerable component: Windows Themes

Impact: Spoofing

CVSS 3.1: 6.5

Microsoft states, “An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file.”

As for the mitigation, Windows systems that have NTLM disabled in them are not affected by the vulnerability, while the other systems need to block the NTLM hash by applying an existing Group Policy, for which details can be found here.

• CVE-2025-21275

Vulnerable component: Windows App Package Installer

Impact: Elevation of Privilege

CVSS 3.1: 7.8

This vulnerability has also been publicly disclosed, yet no instances of active exploitation have been noted. Microsoft has stated that the attackers can gain SYSTEM privileges by exploiting the vulnerability.

Republished CVE IDs

Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished two CVE IDs. These are as follows:

• CVE-2024-50338

• CVE-2024-7344

Some third-party vendors such as Adobe, Cisco, SAP, Fortinet, and Ivanti have also released updates this January.

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

• Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
• Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
• Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
• Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
• Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
• Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
• Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
• Run patch reports to get a detailed view of the health status of your endpoints.

For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!

The post January 2025 Patch Tuesday comes with fixes for 159 vulnerabilities, including 8 zero-days appeared first on ManageEngine Blog.

While all zero-day vulnerabilities demand immediate attention, some are particularly noteworthy because they shed light on which technologies and products are being targeted more frequently by malicious actors. These trends not only highlight critical vulnerabilities but also reveal the evolving tactics and strategies attackers are using to compromise sensitive data and business-critical systems.

In this post, we’ll dive into the total number of zero-day vulnerabilities discovered in 2024, breaking them down by major vendors, and provide a month-by-month trend graph to track how these vulnerabilities have evolved. We’ll also take a closer look at the top 10 most impactful zero-day vulnerabilities of the year, analyzing their significance, exploitation patterns, and real-world consequences for businesses.

Zero-day vulnerabilities in 2024: Vendor breakdown

The year 2024 saw around 90 zero-day vulnerabilities reported. Here’s the breakdown of these vulnerabilities by major vendors:

• 26 vulnerabilities from Microsoft

• 10 vulnerabilities from Google

Monthly breakdown of zero-day vulnerabilities

Here’s how the zero-day vulnerabilities were distributed across the months in 2024:

Top 10 zero-day vulnerabilities of 2024

Let’s now focus on the top 10 most impactful zero-day vulnerabilities of the year, highlighting the components, CVE IDs, and CVSS scores that have raised the most concerns:

1. Vulnerable component: FortiManager
CVE-ID: CVE-2024-47575
CVSS score: 9.8

This vulnerability allowed remote attackers to compromise the affected system due to a lack of authentication in the FortiManager fgfmd daemon. A remote, unauthenticated attacker could send specially crafted requests to the system, executing arbitrary commands and ultimately gaining full control of the system.

2. Vulnerable component: Google Chrome
CVE-ID: CVE-2024-7971
CVSS Score: 9.6

A type confusion error within the V8 engine enabled remote attackers to execute arbitrary code on the target system. By crafting a malicious webpage, attackers could deceive the victim into visiting it, triggering the type confusion error and executing arbitrary code.

3. Vulnerable component: Ivanti Cloud Services Appliance 
CVE-ID: CVE-2024-8963
CVSS Score: 9.4

A directory traversal vulnerability allowed remote attackers to exploit an input validation error when processing directory traversal sequences. An unauthenticated attacker could send a specially crafted HTTP request and read arbitrary files on the system. This vulnerability could also be exploited alongside #VU97119 (CVE-2024-8190) to achieve remote code execution.

4. Vulnerable component: Palo Alto Networks Expedition
CVE-ID: CVE-2024-5910
CVSS Score: 9.3

A lack of authentication for a critical function in Palo Alto Networks Expedition allowed attackers with network access to take over the Expedition admin account.

5. Vulnerable component: SQL (Palo Alto Networks Expedition)
CVE-ID: CVE-2024-9465
CVSS Score: 9.2

An SQL injection vulnerability in Palo Alto Networks Expedition allowed unauthenticated attackers to expose the Expedition database contents, including sensitive data like password hashes, usernames, device configurations, and API keys. Attackers could also create and read arbitrary files on the system.

6. Vulnerable component: Windows
CVE-ID: CVE-2024-29988
CVSS Score: 8.8

This vulnerability allowed a remote attacker to compromise the system by exploiting an insufficient implementation of the Mark of the Web feature. A malicious file within an archive could bypass endpoint detection and response/network detection and response  and Microsoft Windows SmartScreen prompts, enabling the attacker to compromise the system.

7. Vulnerable component: Windows
CVE-ID: CVE-2024-49039
CVSS Score: 8.8

This vulnerability allowed a local user to escalate privileges on the system. It stemmed from improper authentication in the Windows Task Scheduler, enabling a local attacker to execute a specially crafted application with elevated privileges.

8. Vulnerable component: Windows
CVE-ID: CVE-2024-30040
CVSS Score: 8.8

This vulnerability allowed a remote attacker to compromise the system due to improper input validation in the Windows MSHTML platform. By deceiving the victim into opening or loading a specially crafted file, attackers could bypass Object Linking and Embedding mitigations in Microsoft 365 and Office, executing arbitrary code on the system.

9. Vulnerable component: Google Chromium V8 Engine
CVE-ID: CVE-2024-5274
CVSS Score: 8.8

A mismatch in data types led to this vulnerability. Attackers exploited it by providing input that triggered erroneous data interpretation, enabling attacks like arbitrary code execution or unauthorized data access. The impact could range from privilege escalation to data leakage or denial of service, depending on the context.

10. Vulnerable component: .NET and Visual Studio
CVE-ID: CVE-2024-35264
CVSS Score: 8.1

This vulnerability had a significant impact on confidentiality, integrity, and availability. It was network-based, meaning an attacker could exploit it remotely without any user interaction, triggering a use-after-free condition to compromise the system.

Protect your organization with comprehensive solutions

In today’s rapidly evolving threat landscape, protecting your organization from zero-day vulnerabilities is crucial. With ManageEngine Endpoint Central, Patch Manager Plus, and Vulnerability Manager Plus, you can proactively manage and mitigate these risks before they can be exploited.

These three solutions help you:

• Ensure timely patching and updates.

• Identify vulnerabilities in real time.

• Minimize the attack surface and reduce the risk of exploitation.

Leverage the power of these tools to safeguard your systems, secure your network, and stay ahead of emerging threats.

The post Notable zero-day vulnerability trends in 2024: Insights and implications appeared first on ManageEngine Blog.

After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

December 2024 Patch Tuesday

Security updates lineup  

Here is a breakdown of the vulnerabilities fixed this month:

CVE IDs: 72

Republished CVE IDs: 1 (more details on this below)

Security updates were released for the following products, features, and roles:

• System Center Operations Manager

• Microsoft Office

• Microsoft Edge (Chromium-based)

• Microsoft Defender for Endpoint

• Microsoft Office SharePoint

• GitHub

• Microsoft Office Word

• Microsoft Office Excel

• Windows Task Scheduler

• Windows Mobile Broadband

• Windows Kernel-Mode Drivers

• Windows Remote Desktop Services

• Windows Virtualization-Based Security (VBS) Enclave

• Microsoft Office Publisher

• Windows IP Routing Management Snapin

• Windows Wireless Wide Area Network Service

• Windows File Explorer

• Windows Kernel

• Windows Routing and Remote Access Service (RRAS)

• Windows Common Log File System Driver

• Role: DNS Server

• Windows Resilient File System (ReFS)

• Windows PrintWorkflowUserSvc

• Windows Message Queuing

• Remote Desktop Client

• WmsRepair Service

• Windows LDAP – Lightweight Directory Access Protocol

• Windows Cloud Files Mini Filter Driver

• Role: Windows Hyper-V

• Windows Local Security Authority Subsystem Service (LSASS)

• Windows Remote Desktop

• Microsoft Office Access

Learn more in the MSRC’s release notes.

Details of the zero-day vulnerability

• CVE-2024-49138

Vulnerable component: Windows Common Log File System Driver

Impact: Elevation of privilege

CVSS 3.1: 7.8

As per Microsoft, this vulnerability has been publicly disclosed and is being actively exploited. Microsoft has also stated that the vulnerability can be exploited to gain SYSTEM privileges. So far, no further information has been reported.

Republished CVE IDs

Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished four CVE IDs. These are as follows:

• CVE-2024-12053

Some third-party vendors such as Adobe, Cisco, SAP, and Veeam have also released updates this month.

Best practices to handle patch management in a hybrid work environment

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

• Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
• Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
• Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
• Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
• Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
• Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
• Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
• Run patch reports to get a detailed view of the health status of your endpoints.

For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!

The post December 2024 Patch Tuesday comes with fixes for 72 vulnerabilities, including 1 zero-day appeared first on ManageEngine Blog.

After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

November 2024 Patch Tuesday

Security updates lineup  

Here is a breakdown of the vulnerabilities fixed this month:

CVE IDs: 89

Republished CVE IDs: 3 (more details on this below)

Security updates were released for the following products, features, and roles:

• Windows Package Library Manager

• SQL Server

• Microsoft Virtual Hard Drive

• Windows SMBv3 Client/Server

• Windows USB Video Driver

• Microsoft Windows DNS

• Windows NTLM

• Windows Registry

• .NET and Visual Studio

• Windows Update Stack

• LightGBM

• Azure CycleCloud

• Azure Database for PostgreSQL

• Windows Telephony Service

• Windows NT OS Kernel

• Role: Windows Hyper-V

• Windows VMSwitch

• Windows DWM Core Library

• Windows Kernel

• Windows Secure Kernel Mode

• Windows Kerberos

• Windows SMB

• Windows CSC Service

• Windows Defender Application Control (WDAC)

• Windows Active Directory Certificate Services

• Microsoft Office Excel

• Microsoft Graphics Component

• Microsoft Office Word

• Windows Task Scheduler

• Microsoft Exchange Server

• Visual Studio

• Windows Win32 Kernel Subsystem

• TorchGeo

• Visual Studio Code

• Microsoft PC Manager

• Airlift.microsoft.com

 Learn more in the MSRC’s release notes.

Details of the zero-day vulnerabilities

• CVE-2024-43451

Vulnerable component: Windows NTLM

Impact: Spoofing

CVSS 3.1: 6.5

This critical zero-day vulnerability enables attackers to capture a user’s NTLMv2 hash with minimal user interaction. This presents a security risk as it could allow unauthorized access to network resources. By simply selecting or right-clicking a malicious file, users may expose their NTLMv2 hash which could be used by an attacker to exploit for unauthorized authentication.

Speaking of the mitigation, Microsoft has issued an essential security patch to address this flaw, and users are strongly prompted to apply the latest patches/updates immediately. Enterprises and organizations should also educate the end users on the risks of interacting with unsolicited files. 

This vulnerability has been publicly disclosed and is being actively exploited.

•  CVE-2024-49039

Vulnerable component: Windows Task Scheduler

Impact: Elevation of Privilege

CVSS 3.1: 8.8

This zero-day vulnerability allows attackers to execute unauthorized code or gain access to resources at a higher privilege level than what’s typically allowed in a low-privilege AppContainer environment.

Threat actors can exploit this vulnerability to escalate privileges, permitting them to perform Remote Procedure Call functions which are normally restricted to privileged accounts and affect the Windows systems that rely on Task Scheduler.

This vulnerability is being actively exploited.

• CVE-2024-49040

Vulnerable component: Microsoft Exchange Server

Impact: Spoofing

CVSS 3.1: 7.5

While Microsoft is aware of this vulnerability, much has not yet been released in the MSRC blog. However, they have released additional information about the steps to be performed or actions to be taken after the update.

This vulnerability has been publicly disclosed.

• CVE-2024-49019

Vulnerable component: Windows Active Directory Certificate Services

Impact: Elevation of privilege

CVSS 3.1: 7.8

This zero-day is commonly referred to as ESC15 or “EKUwu.” By leveraging this vulnerability, attackers can exploit misconfigurations within certificate templates. This would potentially lead to unauthorized access and privilege escalation in the affected systems. By manipulating the Enhanced Key Usage (EKU) extensions, threat actors can also obtain certificates, providing them with elevated privileges.

This vulnerability has been publicly disclosed.

Third-party updates released after last month’s Patch Tuesday

Some third-party vendors such as Adobe, Cisco, Citrix, Dell, Siemens, SAP and Ivanti have also released updates this November.

Republished CVE IDs

Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished four CVE IDs. These are as follows:

• CVE-2024-10826

• CVE-2024-10827

• CVE-2024-5535

Best practices to handle patch management in a hybrid work environment

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

• Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
• Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
• Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
• Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
• Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
• Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
• Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
• Run patch reports to get a detailed view of the health status of your endpoints.

For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!

The post November 2024 Patch Tuesday comes with fixes for 89 vulnerabilities including 4 zero-days  appeared first on ManageEngine Blog.

Edit (Oct. 9, 2024): The total number of vulnerabilities fixed in this Patch Tuesday is 117.

Welcome to the Patch Tuesday update for October 2024, which lists fixes for 117 vulnerabilities. This month, there are five zero-day vulnerabilities, of which two are being actively exploited, while all five have been publicly disclosed.

After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

October 2024 Patch Tuesday

Security updates lineup  

Here is a breakdown of the vulnerabilities fixed this month:

CVE IDs: 117

Republished CVE IDs: 4 (more details on this below)

Security updates were released for the following products, features, and roles:

• Role: Windows Hyper-V

• Windows Hyper-V

• Windows EFI Partition

• Windows Kernel

• OpenSSH for Windows

• Azure Monitor

• Windows Netlogon

• Windows Kerberos

• BranchCache

• Azure Stack

• Windows Routing and Remote Access Service (RRAS)

• .NET and Visual Studio

• Windows Remote Desktop Licensing Service

• Windows Remote Desktop Services

• Microsoft Configuration Manager

• Service Fabric

• Power BI

• .NET, .NET Framework, Visual Studio

• Visual Studio Code

• DeepSpeed

• Windows Resilient File System (ReFS)

• Windows Common Log File System Driver

• Microsoft Office SharePoint

• Microsoft Office Excel

• Microsoft Office Visio

• Microsoft Graphics Component

• Windows Standards-Based Storage Management Service

• Windows BitLocker

• Windows NTFS

• Internet Small Computer Systems Interface (iSCSI)

• Windows Secure Kernel Mode

• Microsoft ActiveX

• Windows Telephony Server

• Microsoft WDAC OLE DB provider for SQL

• Windows Local Security Authority (LSA)

• Windows Mobile Broadband

• Windows Print Spooler Components

• RPC Endpoint Mapper Service

• Remote Desktop Client

• Windows Kernel-Mode Drivers

• Microsoft Simple Certificate Enrollment Protocol

• Windows Online Certificate Status Protocol (OCSP)

• Windows Cryptographic Services

• Windows Secure Channel

• Windows Storage

• Windows Shell

• Windows NT OS Kernel

• Windows Storage Port Driver

• Windows Network Address Translation (NAT)

• Windows Ancillary Function Driver for WinSock

• Sudo for Windows

• Microsoft Management Console

• Windows MSHTML Platform

• Microsoft Windows Speech

• Microsoft Office

• Windows Remote Desktop

• Winlogon

• Windows Scripting

• Code Integrity Guard

• Visual C++ Redistributable Installer

• Azure CLI

• Visual Studio

• Outlook for Android

• Microsoft Defender for Endpoint

 Learn more in the MSRC’s release notes.

Details of the zero-day vulnerabilities

• CVE-2024-43572

Vulnerable component: Microsoft Management Console

Impact: Remote code execution

CVSS 3.1: 7.8

The score of this vulnerability indicates that it can be exploited locally and requires user intervention. This implies that the attack can be carried out by social engineering attacks and the threat actor can exploit it remotely as well.

Microsoft states, “The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability.”

This vulnerability has been publicly disclosed and is being actively exploited.

• CVE-2024-43573

Vulnerable component: Windows MSHTML Platform

Impact: Spoofing

CVSS 3.1: 6.5

As per Microsoft, while Internet Explorer 11 and the old version of Edge have been phased out, certain underlying technologies like MSHTML and EdgeHTML are still used by older applications, including Internet Explorer mode in the new Microsoft Edge. These technologies are crucial for running legacy apps, and they require ongoing updates to stay secure.

For users of Windows Server 2008, 2008 R2, and 2012, specific updates related to newer platforms may not apply. However, Microsoft recommends users who install the Security Only updates to install the IE Cumulative updates for this vulnerability.

This vulnerability has been publicly disclosed and is being actively exploited.

• CVE-2024-20659

Vulnerable component: Windows Hyper-V

Impact: Security feature bypass

CVSS 3.1: 7.1

For this vulnerability to be exploited successfully, the attacker first needs to gain access to the restricted network and then make the user boot their system.

The MSRC states, “This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel.”

This vulnerability has been publicly disclosed.

• CVE-2024-43583

Vulnerable component: Winlogon (Windows Logon)

Impact: Elevation of privilege

CVSS 3.1: 7.8

Microsoft states, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” It is recommended to enable a Microsoft third-party IME on the devices to address this vulnerability. Learn how to enable a Microsoft third-party IME.

This vulnerability has been publicly disclosed.

• CVE-2024-6197

Vulnerable component: Open Source Curl

Impact: Remote code execution

CVSS 3.1: 8.8

Microsoft states that this attack requires a client to connect to a malicious server, which could allow the attacker to gain code execution privileges on the client. To learn more about the vulnerability, you can refer to the official advisory by Curl.

This vulnerability has been publicly disclosed.

Third-party updates released after last month’s Patch Tuesday

Some third-party vendors such as Fortinet, Cisco, Qualcomm, and Ivanti have also released updates this October.

Republished CVE IDs

Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished four CVE IDs. These are as follows:

• CVE-2024-6197

• CVE-2024-7025

• CVE-2024-9369

• CVE-2024-9370

Best practices to handle patch management in a hybrid work environment

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

• Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
• Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
• Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
• Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
• Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
• Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
• Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
• Run patch reports to get a detailed view of the health status of your endpoints.

For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!

The post October 2024 Patch Tuesday comes with fixes for 117 vulnerabilities including 5 zero-days appeared first on ManageEngine Blog.

After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

September 2024 Patch Tuesday

Security updates lineup

Here is a breakdown of the vulnerabilities fixed this month:

CVE IDs: 79

Security updates were released for the following products, features, and roles:

• Windows TCP/IP

• SQL Server

• Windows Security Zone Mapping

• Windows Installer

• Microsoft Office SharePoint

• Windows PowerShell

• Windows Network Address Translation (NAT)

• Azure Network Watcher

• Azure Web Apps

• Azure Stack

• Windows Mark of the Web (MOTW)

• Dynamics Business Central

• Microsoft Office Publisher

• Windows Standards-Based Storage Management Service

• Windows Remote Desktop Licensing Service

• Windows Network Virtualization

• Role: Windows Hyper-V

• Windows DHCP Server

• Microsoft Streaming Service

• Windows Kerberos

• Windows Remote Access Connection Manager

• Windows Win32K – GRFX

• Microsoft Graphics Component

• Windows Storage

• Windows Win32K – ICOMP

• Windows Authentication Methods

• Windows Kernel-Mode Drivers

• Windows AllJoyn API

• Microsoft Management Console

• Windows Setup and Deployment

• Windows MSHTML Platform

• Microsoft Office Visio

• Microsoft Office Excel

• Azure CycleCloud

• Windows Admin Center

• Microsoft Dynamics 365 (on-premises)

• Power Automate

• Microsoft Outlook for iOS

• Windows Update

• Microsoft AutoUpdate (MAU)

• Windows Libarchive

 Learn more in the MSRC’s release notes.

Details of the zero-day vulnerabilities

• CVE-2024-38217

Vulnerable component: Windows Mark of the Web (MOTW)

Impact: Security feature bypass

CVSS 3.1: 5.4

This vulnerability allows attackers to exploit the Mark of the Web (MOTW) feature by hosting a malicious file on an attacker-controlled server and tricking a user into downloading and opening it.

Upon a successful exploitation, the attacker could bypass security measures like SmartScreen and Windows Attachment Services, leading to a limited loss of integrity and availability.

This vulnerability has been publicly disclosed and is being actively exploited.

•  CVE-2024-38226

Vulnerable component: Microsoft Publisher

Impact: Security feature bypass

CVSS 3.1: 7.3

This vulnerability allows attackers to bypass Office macro policies designed to block untrusted or malicious files. To exploit the vulnerability, the attacker needs to convince the user to download a specially crafted file via social engineering. Microsoft has also stated that the Preview Pane is not an attack vector.

While it has not yet been publicly disclosed, the vulnerability is being actively exploited.

• CVE-2024-38014

Vulnerable component: Windows Installer

Impact: Elevation of privilege

CVSS 3.1: 7.8

Microsoft states that an attacker can gain SYSTEM privileges on successful exploitation of the vulnerability.

This vulnerability has not yet been publicly disclosed but is being actively exploited.

• CVE-2024-43491

Vulnerable component: Microsoft Windows Update

Impact: Remote Code Execution Vulnerability  

CVSS 3.1: 9.8

This Servicing Stack vulnerability has been actively exploited and has been marked as Critical.

Per Microsoft, “Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.”

If you would like to know more on the precautions and actions needed to be taken to restore the fixes rolled back by the vulnerability, you can refer to the MSRC blog.

Third-party updates released after last month’s Patch Tuesday

Third-party vendors such as Fortinet, Cisco, Google, Apache, and Ivanti have also released updates this September.

Best practices to handle patch management in a hybrid work environment

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

• Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
• Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
• Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
• Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
• Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
• Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
• Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
• Run patch reports to get a detailed view of the health status of your endpoints.
• For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!

The post September 2024 Patch Tuesday comes with fixes for 79 vulnerabilities including 4 zero-days appeared first on ManageEngine Blog.

After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

August 2024 Patch Tuesday

Security updates lineup 

Here is a breakdown of the vulnerabilities fixed this month:

• CVE IDs: 89 (this count doesn’t include the republished CVE IDs)
• Republished CVE IDs: 12 (more details on this below)

Security updates were released for the following products, features, and roles:

• Windows Secure Kernel Mode

• Windows Kerberos

• Microsoft Windows DNS

• Windows TCP/IP

• Microsoft Office

• Azure Connected Machine Agent

• Windows Kernel

• Windows Power Dependency Coordinator

• Azure Stack

• Azure Health Bot

• Windows IP Routing Management Snapin

• Windows NTFS

• Microsoft Local Security Authority Server (lsasrv)

• Windows Routing and Remote Access Service (RRAS)

• Microsoft Bluetooth Driver

• Microsoft Streaming Service

• Windows Network Address Translation (NAT)

• Windows Clipboard Virtual Channel Extension

• Windows NT OS Kernel

• Windows Resource Manager

• Windows Deployment Services

• Reliable Multicast Transport Driver (RMCAST)

• Windows Ancillary Function Driver for WinSock

• Windows WLAN Auto Config Service

• Windows Layer-2 Bridge Network Driver

• Windows DWM Core Library

• Windows Transport Security Layer (TLS)

• Microsoft WDAC OLE DB provider for SQL

• Windows Security Center

• Azure IoT SDK

• Windows Network Virtualization

• Windows Mobile Broadband

• Windows Update Stack

• Windows Compressed Folder

• Microsoft Dynamics

• .NET and Visual Studio

• Microsoft Office Visio

• Microsoft Office Excel

• Microsoft Office PowerPoint

• Microsoft Office Outlook

• Windows App Installer

• Windows Scripting

• Windows SmartScreen

• Windows Kernel-Mode Drivers

• Microsoft Office Project

• Azure CycleCloud

• Windows Common Log File System Driver

• Microsoft Teams

• Windows Print Spooler Components

• Line Printer Daemon Service (LPD)

• Microsoft Copilot Studio

• Windows Mark of the Web (MOTW)

• Windows Cloud Files Mini Filter Driver

• Microsoft Edge (Chromium-based)

• Windows Initial Machine Configuration

Learn more in the MSRC’s release notes.

Details of the zero-day vulnerabilities

• CVE-2024-38193

Vulnerable component: Windows Ancillary Function Driver for WinSock

Impact: Elevation of Privilege

CVSS 3.1: 7.8

Per Microsoft, an attacker could gain SYSTEM privileges on successful exploitation of this vulnerability.

• CVE-2024-38178

Vulnerable component: Scripting Engine Memory Corruption Vulnerability

Impact: Remote Code Execution

CVSS: 3.1 7.5

For this zero-day vulnerability to be exploited, an authenticated victim should click on a specially crafted URL prepared by the attacker. Clicking the link enables the attacker to initiate remote code execution.

• CVE-2024-38106

Vulnerable component: Windows Kernel

 Impact: Elevation of Privilege

CVSS:3.1 7.0

Microsoft states that the vulnerability can be exploited on winning a RACE condition and grants the attacker access to SYSTEM privileges.

• CVE-2024-38213

Vulnerable component: Windows Mark of the Web

Impact: Security Feature Bypass Vulnerability  

 CVSS 3.1: 6.5

Successful exploitation of this vulnerability allows the attacker to bypass the SmartScreen experience. However, for the exploitation to occur, users must open a malicious file that has been generated and shared by the attacker.

• CVE-2024-38107

Vulnerable component: Windows Power Dependency Coordinator

Impact: Elevation of Privilege Vulnerability   

CVSS 3.1: 7.8

A successful exploitation of this vulnerability enables access to SYSTEM privileges to the threat actor.

• CVE-2024-38189

Vulnerable component: Microsoft Project

Impact: Remote Code Execution Vulnerability  

CVSS 3.1: 8.8

Per Microsoft, “Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled, allowing the attacker to perform remote code execution.”

Hence, they strongly recommend that users do not disable the Block macros from running in Office files from the Internet policy. The detailed mitigation steps can be found here.

The six above-mentioned vulnerabilities are being actively exploited, so it is strongly recommended to deploy the updates or perform the recommended mitigation steps as soon as possible.

The CVE IDs mentioned below have been publicly disclosed. However, as per Microsoft, the exploitation of these vulnerabilities are either less likely or have not been exploited till now. The following CVE IDs are:

• CVE-2024-38199

  Vulnerable component: Windows Line Printer Daemon (LPD) Service
  Impact: Remote Code Execution Vulnerability
  CVSS 3.1: 9.8

• CVE-2024-21302
  Vulnerable component: Windows Secure Kernel Mode
  Impact: Elevation of Privilege Vulnerability
  CVSS 3.1: 6.7

• CVE-2024-38200 
  Vulnerable component: Microsoft Office 
  Impact: Spoofing 
  CVSS 3.1: 6.5

• CVE-2024-38202 
  Vulnerable component: Windows Update Stack
  Impact: Elevation of Privilege
  CVSS 3.1: 7.3

Republished CVE IDs

Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished four CVE IDs. These are as follows:

• CVE-2022-2601

• CVE-2022-3775

• CVE-2023-40547

• CVE-2024-6990

• CVE-2024-7255

• CVE-2024-7256

• CVE-2024-7532

• CVE-2024-7533

• CVE-2024-7534

• CVE-2024-7535

• CVE-2024-7536

• CVE-2024-7550

Third-party updates released after last month’s Patch Tuesday

Third-party vendors such as Android, Cisco, and Ivanti have also released updates this August.

Best practices to handle patch management in a hybrid work environment

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

• Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
• Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
• Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
• Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
• Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
• Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
• Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
• Run patch reports to get a detailed view of the health status of your endpoints.
• For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!

The post August 2024 Patch Tuesday comes with fixes for 89 vulnerabilities and 10 zero-days appeared first on ManageEngine Blog.