Microsoft’s October security update addressed a substantial 117 vulnerabilities, including two actively exploited flaws and three publicly disclosed but as yet unexploited bugs.
The update is the third largest so far this year in terms of disclosed CVEs, after April’s 147 CVEs and July’s set of 139 flaws.
A plurality of the bugs (46) enables remote code execution (RCE), and 28 others give threat actors a way to elevate privileges. The remaining vulnerabilities include those that enable spoofing, denial of service, and other malicious outcomes. As always, the CVEs affected a wide range of Microsoft technologies, including the Windows operating system, Microsoft’s Hyper-V virtualization technology, Windows Kerberos, Azure, Power BI, and .NET components.
Actively Exploited Bugs
The two vulnerabilities in the October update that attackers are actively exploiting are also the ones that merit immediate attention.
One of them is CVE-2024-43573, a spoofing vulnerability in MSHTML, or the Trident legacy browsing engine for Internet Explorer that Microsoft includes in modern versions to maintain backward compatibility. The bug is similar to CVE-2024-38112 and CVE-2024-43461 that Microsoft disclosed in MSHTML in July and September, respectively, which the Void Banshee group has been actively exploiting. Another unusual aspect of the bug: Microsoft has not credited anyone for reporting or discovering it.
Organizations should not allow Microsoft’s moderate severity assessment for CVE-2024-43573 to lull them into thinking the bug does not merit immediate attention, researchers at Trend Micro’s Zero Day Initiative wrote in a blog post. “There’s no word from Microsoft on whether it’s [Void Banshee], but considering there is no acknowledgment here, it makes me think the original patch was insufficient,” the ZDI post noted. “Either way, don’t ignore this based on the severity rating. Test and deploy this update quickly.”
The other zero-day that attackers are currently exploiting is CVE-2024-43572, an RCE flaw in Microsoft Management Console (MMC). Microsoft said its patch prevents “untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability.”
Earlier this year, researchers at Elastic Security reported observing threat actors using specially crafted MMC files, dubbed GrimResource for initial access and defense evasion purposes. However, it is not immediately clear if the attackers were exploiting CVE-2024-43572 in that campaign or some other bug. Microsoft didn’t address the point in this most recent patch update.
Publicly Known but Unexploited — for the Moment
The three other zero-day bugs that Microsoft disclosed as part of its October security update — but which attackers have not exploited yet — are CVE-2024-6197, a remote code execution vulnerability in the open source cURLl command line tool; CVE-2024-20659, a moderate severity security bypass vulnerability in Windows Hyper-V; and CVE-2024-43583, a WinLogon elevation of privilege vulnerability.
Mike Walters, president and co-founder of Action 1, said organizations should prioritize patching CVE-2024-6197. Though Microsoft has assessed the vulnerability as something that attackers are less likely to exploit, Walters expects to see proof-of-concept code for the flaw become available soon. “This vulnerability is particularly concerning, because it impacts the fundamental architecture of memory management in cURL, a tool integral to data transfers across various network protocols,” Walters wrote in a blog post. “The affected systems include those using cURL or libcurl, the underlying library that powers numerous applications on diverse platforms.”
Meanwhile, organizations using third-party input method editors (IMEs) that allow users to type in different languages are at particular risk from CVE-2024-43583, which is the WinLogon elevation of privilege flaw, Walters added. “This vulnerability is particularly pertinent in diverse settings where multilingual support is crucial, such as in global enterprises or educational institutions,” he said. Attackers could exploit the vulnerability as part of a broader attack chain to compromise affected environments he said.
Other Critical Bugs that Need Attention Now
Microsoft assessed just three of the 117 vulnerabilities it disclosed this week as being critical. All three are RCEs. They are CVE-2024-43468 in Microsoft Configuration Manager, CVE-2024-43582 in the Remote Desktop Protocol (RDP) server, and CVE-2024-43488 in Visual Studio Code extension for Arduino Remote.
CVE-2024-43468 highlights some memory safety concerns with Microsoft Configuration Manager, Cody Dietz, a researcher with Automox, wrote in a blog post. “Successful exploitation of this vulnerability can allow for lateral movement throughout a network and offers the potential to deploy malicious configurations to other systems.” In addition to immediately patching the vulnerability, organizations should consider using an alternate service account to mitigate risk, Dietz said.
Automox also highlighted CVE-2024-43533, a high-severity bug in RDP. The bug is present in the RDP client and enables attackers to execute arbitrary code on a client machine. “Unlike typical RDP vulnerabilities targeting servers, this one flips the script, offering a unique attack vector against clients,” Tom Bowyer, director of IT security at Automox, wrote in the company’s blog post.
“This vulnerability opens the door for back-hacks,” Boyer added, “where attackers set up rogue RDP servers to exploit scanning activities from entities like nation-states or security companies.”