Microsoft has released patches for 90 vulnerabilities, including 10 zero-day flaws, with six of these zero-day vulnerabilities currently being exploited. The zero-day vulnerabilities are: CVE-2024-38189, CVE-2024-38178, CVE-2024-38193, CVE-2024-38106, CVE-2024-38107, CVE-2024-38213, CVE-2024-38200, CVE-2024-38199, CVE-2024-21302, and CVE-2024-38202.

Affected products include, but are not limited to:

• Windows OS: 10 and 11.

• Windows Server: 2016, 2019, 2022.

• Microsoft SQL Server: 2016, 2017, 2019, 2022.

• Microsoft Office: 2016, 2019, and Microsoft 365.

Security Risks

Successful exploitation of unpatched vulnerabilities in Microsoft products may enable authenticated attackers to remotely take control of vulnerable systems, executing malicious code with elevated privileges.

For the full list of security patches released by Microsoft, please refer to Microsoft Security Update Guide. and apply the necessary updates.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and administrators:

1. Apply the latest security patches, as soon as possible, to prevent unauthorized control over unpatched systems.

2. Upgrade immediately to the latest supported version of installed Microsoft software in order to continue receiving technical support and security patches.

The following Microsoft software products reached their end-of-life and need to be upgraded immediately:

• Windows Vista, XP, 8 and 7

• Windows Server 2003, 2003 RE, 2008, 2008 RE, 2008 SP2, 2012 and 2012 R2

• Exchange Server 2003, 2007, 2010, 2013

• Microsoft SQL Server 2005, 2008, 2012

• Microsoft Office 2013

• Microsoft Office for Mac: 2016, 2019

3. Before any updating task, ensure you have a current tested backup of your data.

For further information and support, please contact the National Cyber Security Authority (NCSA) by emailing rwcsirt@ncsa.gov.rw or calling us on 9009.

References
   Release Note - August 2024.