Microsoft, on Tuesday, released its October 2024 Patch Tuesday, which addresses 118 security vulnerabilities, including five publicly disclosed zero-days, two of which are being actively exploited in the wild.
Of the 118 flaws, 3 are rated as critical, 108 as important, and 7 as low severity. These vulnerabilities occurred across different platforms, including Azure CLI, Microsoft Defender for Endpoint, Microsoft Office, Microsoft Edge, Visual Studio, Windows Storage, Windows Remote Desktop, DeepSpeed, and various Windows 10, 11, and Windows Server components.
The three vulnerabilities marked “criticalโ are all remote code execution (RCE) flaws, which, if exploited, could allow an attacker to run arbitrary code on your device.
- CVE-2024-43582: Affects Windows Remote Desktop. “To exploit this vulnerability, an unauthenticated attacker would need to send malformed packets to a RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service,” said Microsoft. However, successfully exploiting this vulnerability requires an attacker to win a race condition.
- CVE-2024-43488: This vulnerability affects the Visual Studio Code extension for Arduino. According to its advisory, Microsoft has already fully mitigated this vulnerability, which means users of this service are required to take no action.
- CVE-2024-43468: Affects Microsoft Configuration Manager. According to Microsoft, “An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database.”
Further, the two actively exploited zero-day vulnerabilities in the wild that Microsoft has addressed in the October 2024 Patch Tuesday update are:
- CVE-2024-43573 โ Windows MSHTML Platform Spoofing Vulnerability
This spoofing vulnerability affects Windows MSHTML, a browser rendering engine used by Windows apps, including Internet Explorer and Microsoft Office products, to render web content.
โWhile Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control,โ Microsoft explains in its advisory.
โThe EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but can also be used by other legacy applications. Updates to address vulnerabilities in the MSHTML platform and scripting engine are included in the IE Cumulative Updates; EdgeHTML and Chakra changes are not applicable to those platforms.โ
- CVE-2024-43572 โย Microsoft Management Console Remote Code Execution Vulnerability
This exploit allows malicious Microsoft Saved Console (MSC) files to perform RCE on targeted devices. To protect customers against the risks associated with this vulnerability, Microsoft has mitigated this by preventing untrusted MSC files from being opened.
Additionally, there are three other disclosed zero-day vulnerabilities that have not been actively exploited, though Microsoft considers them “important” to patch:
- CVE-2024-6197: This RCE flaw affects Windows cURL Implementation, which requires a client to connect to a malicious server. However, the chances of this flaw being exploited are very low, as it requires user interaction to select the server and communicate with it.
- CVE-2024-43583: This is a Winlogon Elevation of Privilege vulnerability, which, if successfully exploited, could allow an attacker to gain SYSTEM privileges.
- CVE-2024-20659: This Hyper-V security feature bypass vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. If successfully exploited, attackers can bypass the UEFI host machine and compromise virtual machines inside it.
To install the October 2024 Patch Tuesday security updates, go to Settings > Update & Security > Windows Updateย and then click theย Check for updates button.
You can check out the comprehensive list of vulnerabilities Microsoft addresses in the October 2024 Patch Tuesday security updates here.