Federal agencies across the U.S. must address four significant vulnerabilities in Microsoft products by the end of the month, following their public disclosure on Tuesday. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about these flaws, which are already being exploited by cybercriminals.
The vulnerabilities, identified as CVE-2024-38226, CVE-2024-43491, CVE-2024-38014, and CVE-2024-38217, were part of Microsoft’s latest security release, which included 79 flaws. Experts emphasize the urgency of patching these issues, especially for sectors like healthcare, finance, and government.
Randy Watkins, CTO of Critical Start, stressed the importance of addressing these vulnerabilities, warning that neglect could result in data breaches and operational disruptions.
Among the vulnerabilities, CVE-2024-43491 is particularly concerning, with a 9.8 severity score, although it only affects a specific Windows 10 version from July 2015. Action1's Mike Walters highlighted that the vulnerability resulted from a rollback of previous fixes.
CVE-2024-38226, affecting Microsoft Publisher, and CVE-2024-38014, targeting Windows Installer, are also part of attack chains, potentially allowing hackers to escalate system privileges and take control of devices.
The final vulnerability, CVE-2024-38217, targets Windows Mark of the Web, a tool that flags risky downloaded files. Hackers have been exploiting this feature to bypass security warnings, increasing the risk of ransomware attacks. According to Saeed Abbasi from Qualys, the vulnerability poses a significant threat, as exploit codes are already publicly available.
Several other companies, including Ivanti, Cisco, Adobe, and Fortinet, also released critical patches for their products as part of Patch Tuesday updates.
