Microsoft has released the October 2024 Patch Tuesday, addressing a total of 117 Common Vulnerabilities and Exposures (CVEs). This month’s Microsoft Patch Tuesday update includes three vulnerabilities rated as critical, 113 classified as important, and one rated moderate. Notably, among these vulnerabilities are two zero-days actively exploited in the wild: CVE-2024-43573 and CVE-2024-43572.
Zero-day vulnerabilities pose some of the most malicious threats, as they are actively exploited before patches are available. This section explores the recently discovered zero-day vulnerabilities identified in Microsoft products, highlighting their severity, potential impact, and the urgent need for updates to protect systems from exploitation.
Microsoft Management Console (CVE-2024-43572)
Microsoft Management Console (MMC) has been updated to patch CVE-2024-43572, an important remote code execution (RCE) vulnerability with a CVSS score of 7.8. This flaw allows malicious Microsoft Saved Console (MSC) files to execute code on affected devices, potentially compromising sensitive information such as command history stored in console windows.
Microsoft has not disclosed specific details regarding the exploitation methods, but the security update aims to prevent untrusted MSC files from being opened, mitigating the risk of exploitation.
Windows MSHTML Platform (CVE-2024-43573)
Another critical update addresses CVE-2024-43573, a moderate spoofing vulnerability affecting the Windows MSHTML Platform. With a CVSS score of 6.5, this vulnerability impacts a variety of applications within the Microsoft 365 suite and also affects Internet Explorer 11 and Legacy Microsoft Edge browsers.
The MSHTML platform has been a frequent target for attackers, having been exploited multiple times in recent years. Microsoft has not released further details on how this vulnerability was discovered or exploited, leaving the door open for further scrutiny.
Key Insights from Security Experts
Commenting on the October 2024 Patch Tuesday, Satnam Narang, Senior Staff Research Engineer at Tenable, highlighted the seriousness of the vulnerabilities addressed. “This month, Microsoft patched two zero-day vulnerabilities that were exploited in the wild. CVE-2024-43573 is a spoofing bug in the Windows MSHTML platform, marking the fourth such zero-day in this area in 2024, following earlier vulnerabilities CVE-2024-30040, CVE-2024-38112, and CVE-2024-43461.”
Narang elaborated on the implications of these vulnerabilities, noting the necessity of user interaction for successful exploitation, typically through social engineering tactics.
“CVE-2024-43572 is a code execution flaw in Microsoft Management Console that was also exploited in the wild. While specific details about the exploitation remain unknown, the patch follows the discovery of a technique called GrimResource, which leveraged an old cross-site scripting (XSS) vulnerability alongside crafted MSC files to gain code execution privileges.”
Breakdown of Vulnerabilities Addressed
The October 2024 Patch Tuesday not only tackled zero-day vulnerabilities but also addressed a range of other critical issues across various Microsoft products. Remote code execution (RCE) vulnerabilities made up 35.9% of the patched vulnerabilities, while elevation of privilege (EOP) vulnerabilities constituted 23.9%.
Critical Vulnerabilities Overview
- CVE-2024-43468: A critical RCE vulnerability in Microsoft Configuration Manager with a staggering CVSS score of 9.8. Exploitation could allow unauthenticated attackers to execute code remotely, posing significant risks to system integrity. Microsoft advises affected customers to install an in-console update promptly.
- CVE-2024-43488: This critical flaw affects the Visual Studio Code extension for Arduino, which has a CVSS score of 8.8. Due to improper authentication, attackers can execute code on affected systems through network-based attacks. To mitigate risks, Microsoft has removed the extension from its marketplace and recommends using the Arduino IDE software instead.
- CVE-2024-43582: This critical RCE vulnerability in the Remote Desktop Protocol Server carries a CVSS score of 8.1. It allows unauthenticated attackers to execute arbitrary code by sending specially crafted Remote Procedure Call (RPC) requests. Given the nature of this bug, it has the potential to be self-propagating if not addressed swiftly.
Conclusion
It is crucial for users and administrators to prioritize the updates released in the Microsoft Patch Tuesday 2024 to mitigate potential risks. Organizations must also take proactive steps to educate their employees about the threats posed by social engineering and the importance of identifying untrusted files, particularly MSC files that could lead to remote code execution.