September Windows update addresses critical vulnerabilities with TCP/IP fixes

The September Windows update package appears less urgent than some of the recent ones, yet it still provides a set of essential security fixes. One of the more exciting components being patched is Windows Update itself.

The most significant fix is the cumulative update for Windows 10, addressing the vulnerability CVE-2024-43491. This vulnerability is related to improper handling of optional components during the installation of the servicing stack update. The high complexity of the Windows Update service and its local installer (TrustedInstaller) eventually led to issues with applying updates.

This problem could have been very serious (unpatched vulnerabilities despite installed fixes) if it had affected more systems. However, the bug in Windows Update only affects version 2015 LTSB, the oldest compilation of Windows 10 in the Enterprise version. Interestingly, the automatic update client for Microsoft's Mac systems also received a patch (CVE-2024-43492).

Among the vulnerabilities addressed, two flaws in TCP/IP stand out. These flaws could allow control of the computer through the transmission of a malicious packet. Recently, such a problem was closely related to IPv6. Flaws in the network stack itself are dangerous and cannot be mitigated by a firewall that operates "higher up."

This time, however, the TCP/IP flaws (CVE-2024-21416 and CVE-2024-38045) involve non-standard configurations (NetNAT service) in unusually behaving networks, requiring detailed knowledge of the attacked system. Therefore, it is a much smaller issue than the "touch-free" hole in the IPv6 implementation.

Windows also received a fix related to the libarchive component, which provides RAR archive support (CVE-2024-43495). Previously, it was possible to execute code during the decompression of a malicious archive. Although the issue concerns lib archive, it seems to be limited to Windows. Libarchive itself released a new version in April.

This time, Microsoft correctly calculated vulnerability metrics, describing it as local rather than network-based only because "a malicious file must be downloaded." However, this does not mean the end of issues with Microsoft's vulnerability assessments, as the hole in MMC, CVE-2024-38259, undoubtedly local, was described as potentially exploitable remotely.

The update for Windows 10 weighs approximately 1.4GB, for Windows 11 - 1.5GB, and the set of fixes for the yet-to-be-released official version 24H2 is about 1.0GB. As usual, the largest update was prepared for Windows Server 2016. All patches are available in the Microsoft Update Catalog, but naturally, they will be automatically downloaded by Automatic Updates.