Hackers have sights set on four Microsoft vulnerabilities, CISA warns

Federal civilian agencies across the U.S. government have until the end of the month to fix four key issues in Microsoft products after they were made public on Tuesday. 

The Cybersecurity and Infrastructure Security Agency (CISA) said the four vulnerabilities affect widely used Microsoft tools and are already being exploited by hackers.

The four bugs — CVE-2024-38226, CVE-2024-43491, CVE-2024-38014 and CVE-2024-38217 — were part of the 79 vulnerabilities included in the monthly security release from Microsoft. 

Randy Watkins, CTO at cybersecurity firm Critical Start, warned that the vulnerabilities demand urgent attention, especially for organizations in industries like healthcare, finance and government. 

“Organizations must prioritize these updates,” he said. “With attackers constantly evolving their tactics, failure to patch could leave organizations exposed to not just data theft, but also significant operational downtime.”

‘Part of an attack chain’

The vulnerabilities affect key tools like Windows Update, Windows Publisher, Windows Installer and a tool that, ironically, warns users of potential security issues. 

Several experts said CVE-2024-43491 appeared to be the most concerning of the bunch because Microsoft gave it a severity score of 9.8 out of 10. 

But on a closer look, researchers explained that Microsoft's description of the issue showed it affected a very specific version of Windows 10 released in July 2015. All later versions of Windows 10 are not impacted by this vulnerability, according to Microsoft. 

Action1 founder Mike Walters said the vulnerability emerged due to a rollback of fixes for certain previously-mitigated bugs following the installation of security updates from March to August 2024. 

“All in all, while there are certainly more than a few organizations out there still running [the affected] Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else,” said Rapid7’s Adam Barnett.

Experts said CVE-2024-38226 — the vulnerability affecting Microsoft Publisher, a program for page layout and graphic design — would likely be used as part of a chain of attacks because it allows hackers to bypass security features. 

An attacker would likely exploit the bug by sending Microsoft Publisher phishing documents. 

CVE-2024-38014 — affecting Windows Installer — would also likely be used as part of a larger attack chain because it allows someone with low privileges in a system to escalate their access. Walters said it would allow an attacker to gain “full control over the host system, including system modifications, arbitrary software installations, and potentially disabling security measures.”

“When combined with other attack vectors, this… vulnerability can enable sophisticated and damaging intrusion campaigns, allowing attackers to potentially navigate through defenses and achieve administrative control,” Walters said. 

“It can act as a secondary stage in multi-vector attacks, where an initial breach through another vulnerability is escalated using CVE-2024-38014. Given the Windows Installer’s critical role across various Windows versions, both enterprise environments and individual user devices are at risk, accounting for potentially thousands of vulnerable organizations and millions of devices.”

The last of the four — CVE-2024-38217 — is another vulnerability affecting Windows Mark of the Web, a security tool designed to flag files that have been downloaded from the internet.

Hackers have targeted the feature for months, and Qualys Threat Research Unit manager Saeed Abbasi explained that the vulnerability allows attackers to manipulate security warnings that typically inform users about the risks of opening files from unknown or untrusted sources. 

“Similar [Mark of the Web] bypasses have historically been linked to ransomware attacks, where the stakes are high,” he said. “Given the exploit's public disclosure and confirmed exploitation, it is a prime vector for cybercriminals to infiltrate corporate networks.”

Rapid7’s Barnett noted that exploit code for the vulnerability is also available on GitHub.

Several other companies released Patch Tuesday security updates, highlighting severe bugs in products from Ivanti, Cisco, Adobe, Fortinet and more.