Microsoft released security updates to fix everything 118 vulnerabilities through its software portfolio, two of which are actively used in the wild.
Of the 118 deficiencies, three are rated critical, 113 are important, and two are of moderate severity. The Patch Tuesday update does not include 25 additional disadvantages which the tech giant has been considering in its Chromium-based Edge browser for the past month.
Five vulnerabilities are listed as public knowledge at the time of release, with two of them being actively exploited as zero-day –
- CVE-2024-43572 (CVSS Score: 7.8) – Microsoft Management Console Remote Code Execution Vulnerability (Exploitation Discovered)
- CVE-2024-43573 (CVSS Score: 6.5) – Windows Platform MSHTML Spoofing Vulnerability (Exploitation Discovered)
- CVE-2024-43583 (CVSS Score: 7.8) – Winlogon elevation of privilege vulnerability
- CVE-2024-20659 (CVSS Score: 7.1) – Windows Hyper-V security feature bypass vulnerability
- CVE-2024-6197 (CVSS Score: 8.8) – Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVEs)
It should be noted that CVE-2024-43573 is similar to CVE-2024-38112 and CVE-2024-43461two other MSHTML forgery flaws used by the Void Banshee threat actor to deliver the Atlantida Stealer malware until July 2024.
Microsoft did not mention how these two vulnerabilities are being used in the wild, by whom, or how widespread they are. He credited researchers Andres and Shady for reporting CVE-2024-43572, but no acknowledgment was given for CVE-2024-43573, raising the possibility that this could be a case of patch bypassing.
“Since the discovery of CVE-2024-43572, Microsoft has been preventing untrusted MSC files from being opened on the system,” said Satnam Narang, senior research engineer at Tenable, in a statement shared with The Hacker News.
Active exploitation of CVE-2024-43572 and CVE-2024-43573 was also noted by the US Cybersecurity and Infrastructure Security Agency (CISA), which added them to known vulnerabilities used (KEV) catalog that requires federal agencies to apply the corrections by October 29, 2024.
Of all the flaws revealed by Redmond on Tuesday, the most serious concerns the remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468CVSS score: 9.8), which could allow unauthenticated users to execute arbitrary commands.
“An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment that are handled in an insecure manner, allowing the attacker to execute commands on the server and/or the underlying database,” it said.
The other two critical severity flaws are also related to remote code execution in the Visual Studio Code extension for Arduino (CVE-2024-43488CVSS score: 8.8) and Remote Desktop Protocol (RDP) server (CVE-2024-43582CVSS score: 8.1).
“The exploit requires an attacker to send specially crafted packets to a Windows RPC host and causes code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC interface limit configuration on the target asset,” Adam Barnett, lead software engineer at Rapid7, said of CVE-2024-43582.
“One good caveat: the complexity of the attack is high, as the attacker has to win the race to gain improper memory access.”
Third-party software patches
Outside of Microsoft, other vendors have also released security updates to address several vulnerabilities over the past few weeks, including –
