Microsoft’s October Patch Tuesday drop has arrived, addressing a total of five publicly disclosed zero-day vulnerabilities – two of them exploited in the wild, and three other critical issues for attention – in a relatively large update.
Although moderate in their severity, carrying CVSS scores of 7.8 and 6.5 respectively, the two exploited zero-days should be top of mind for security teams this month, with one a remote code execution vulnerability in Microsoft Management Console – CVE-2024-43572 – and the other a spoofing vulnerability in Windows MSHTLM Platform – CVE-2024-45373.
“October is Cyber Security Awareness Month! What better way to stay cyber-aware than to read up on the latest security updates hitting the market,” said Ivanti security products vice-president Chris Goettl.
“Microsoft resolved 117 new CVEs this month, three of which are rated critical by Microsoft. This month’s line-up has two zero-day exploits that have also been publicly disclosed putting them at risk of more widespread exploitation. Both of the zero-day vulnerabilities are resolved by this month’s Windows OS update, making that your top priority to reduce risk quickly.”
Of these two, the Microsoft Management Console issue should be urgently addressed, explained Immersive Labs senior director of threat research Kev Breen.
“While the notes say remote code execution this vulnerability requires user interaction and some degree of social engineering,” he said. “To exploit this vulnerability an attacker must craft a malicious .msc file that, if opened, will run arbitrary code or commands that allow a threat actor to compromise the host.
“This file would typically be sent via email as an attachment or as a link to a download,” said Breen. “After patching, security teams and threat hunters should proactively check historical logs for indicators of these files being sent and received.”
Monitoring and blocking
Breen added that those not able to deploy the patch right away should consider adding additional monitoring and blocking rules targeting .msc files – the fix deployed also prevents these from executing on the system.
Meanwhile, Breen’s colleague Nikolas Cemerikic, cyber security engineer at Immersive Labs, ran the rule over CVE-2024-45373. He said: “The vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate due to the way the platform handles certain web elements.
“Once a user is deceived into interacting with this content, typically through phishing attacks, the attacker can potentially gain unauthorised access to sensitive information or manipulate web-based services. Importantly, this attack requires no special permissions or knowledge of the user’s system, making it relatively easy for cyber criminals to execute.”
Though rated lower in severity, it is already being exploited which makes it a serious concern for large organisations, particularly those running a lot of legacy web applications – the MSHTML platform underpins the now-retired Internet Explorer, for example – which is still widely used for compatibility reasons.
This, said Cemerikic, creates risk for employees using older systems in their everyday work, “especially if they are accessing sensitive data or performing financial transactions online”.
Curl up and die
The three other publicly-disclosed bugs comprise CVE-2024-6197, an RCE issue in Open Source Curl, CVE-2024-20659 a security feature bypass issue in Windows Hyper-V, and CVE-2024-43583, an elevation of privilege vulnerability in Winlogon. All three carry CVSS scores of between seven and eight, but none are yet known to be exploited.
The first of these, affecting the widely-used open source Curl library, steams from an issue that arises when memory not allocated on the heap is improperly freed, leading to weird behaviour that can be exploited to execute code, explained Mike Walters, president and co-founder of Action1.
Walters said this was particularly concerning as it impacts the fundamental architecture of memory management in Curl, which is integral to data transfers in multiple network protocols. While Windows doesn’t typically ship with the Curl library, it does include its command line tool, hence the alert.
“Possible consequences of exploiting this vulnerability include execution of remote code on the client system by an attacker; compromised systems becoming gateways for data exfiltration or further network infiltration, [and] full control over the affected client, potentially leading to widespread malware distribution or misuse,” said Walters.
“Attackers could use this vulnerability to conduct man-in-the-middle [MitM] attacks by redirecting client requests to malicious servers. If combined with vulnerabilities that allow for network lateral movement, this could significantly enhance an attacker’s capability to infiltrate and control vast portions of an enterprise’s network.
“Given Curl’s prevalence across both open-source and proprietary systems, its footprint is vast,” he said.
The Winlogon EoP flaw, meanwhile, stems from improper handling of processes during the system login phase, and is facilitated by underlying weaknesses in how Winlogon interacts with Input Method Editors (IMEs), especially third-party ones.
“This vulnerability could be used in a multi-step attack, where initial access might be obtained through another local exploit or social engineering tactics,” said Walters. “Once remote attackers gain local access, leveraging this EoP vulnerability could enable deeper penetration into secured environments.
“Organisations using Windows systems are at significant risk, especially those that utilise third-party IMEs for linguistic or regional purposes. This vulnerability is particularly pertinent in diverse settings where multilingual support is crucial, such as in global enterprises or educational institutions,” he added.
As to the third, Hyper-V vulnerability, the good news is this may be somewhat less impactful, although this does not make it by any means less worthy of attention, as Tyler Reguly, Fortra associate director of security research and development, explained.
“Thankfully … there are a number of criteria that make it less likely that we’ll see this vulnerability exploited,” said Reguly.
“Microsoft indicates that only certain hardware is impacted, which could allow the bypass of UEFI and lead to a compromise of the hypervisor, this would require that the system first be rebooted and that the attacker have access to the local network, as Microsoft has marked the attack vector in the CVSS score with the rarely seen adjacent value meaning the attack must originate from the same physical or logical network.”