Microsoft's October Patch Tuesday Fixes 118 Flaws, Including 5 Zero-Days

Microsoft's October 2024 Patch Tuesday is here, bringing security updates for 118 vulnerabilities, including 5 publicly disclosed zero-day vulnerabilities, with two of them being actively exploited.

This update also addresses three critical remote code execution vulnerabilities.

Here’s a breakdown of the vulnerabilities by type:

• 28 Elevation of Privilege vulnerabilities
• 7 Security Feature Bypass vulnerabilities
• 43 Remote Code Execution vulnerabilities
• 6 Information Disclosure vulnerabilities
• 26 Denial of Service vulnerabilities
• 7 Spoofing vulnerabilities

This total excludes three Microsoft Edge vulnerabilities that were patched earlier in October

The Actively Exploited Zero-Days

These Two vulnerabilities are confirmed to be actively exploited by cyber criminals and is critical that they are patched immediately.

CVE-2024-43572 - Microsoft Management Console (MMC) Remote Code Execution Vulnerability, an oft-targeted component of the Windows operating system.

This vulnerability allowed attackers to exploit malicious Microsoft Saved Console (MSC) files to execute remote code on vulnerable systems.

Microsoft addressed this issue by preventing untrusted MSC files from being opened.

"The security update ensures that untrusted Microsoft Saved Console (MSC) files can no longer be opened, mitigating the risks associated with this flaw," Microsoft explained.

The flaw carries a CVSS severity score of 7.8/10

CVE-2024-43573 - Windows MSHTML Platform Spoofing Vulnerability

Though Microsoft has not provided in-depth details on this vulnerability or its exploitation, it relates to the MSHTML platform. This platform was used by Internet Explorer and older versions of Microsoft Edge, but its components remain part of Windows and has been regularly targeted by state sponsored cyber groups.

"Despite the retirement of the Internet Explorer 11 application on certain platforms and the deprecation of Microsoft Edge Legacy, the MSHTML, EdgeHTML, and scripting platforms are still supported," Microsoft explained.

The MSHTML platform is still utilized in Internet Explorer mode in Microsoft Edge and other applications via WebBrowser control, while the EdgeHTML platform is used by WebView and some UWP applications.

The vulnerability may be related to a previous flaw in MSHTML that allowed spoofing of file extensions. Last month, a similar attack used Braille characters in filenames to spoof PDF files.

The Other Zero-Days

In addition to the actively exploited zero-days, 3 other vulnerabilities were publicly disclosed but have not yet been exploited:

CVE-2024-6197 - Open Source Curl Remote Code Execution Vulnerability

Microsoft fixed a remote code execution vulnerability in the libcurl library that could allow attackers to execute commands when Curl connects to a malicious server.

"The vulnerable code path can be triggered by a malicious server offering a specially crafted TLS certificate," according to a Curl security advisory.

Microsoft patched this flaw by updating the bundled libcurl library. The vulnerability was discovered by a researcher known as "z2_," who shared the details on HackerOne .

CVE-2024-20659 - Windows Hyper-V Security Feature Bypass Vulnerability

This flaw allowed attackers to bypass UEFI security, potentially compromising the hypervisor and kernel.

"This Hyper-V vulnerability pertains to virtual machines hosted on Unified Extensible Firmware Interface (UEFI) machines," Microsoft explained.

On specific hardware, attackers could bypass UEFI, leading to the compromise of the hypervisor and secure kernel. Physical access to the device is required, as well as a reboot.

Researchers Francisco Falcón and Iván Arce from Quarkslab discovered this flaw, though it remains unclear where it was first publicly disclosed.

CVE-2024-43583 - Winlogon Elevation of Privilege Vulnerability

This vulnerability could grant attackers SYSTEM-level privileges in Windows. To address the issue, Microsoft advises administrators to take additional steps.

"Ensure that a Microsoft first-party IME is enabled on your device to protect against potential vulnerabilities related to third-party (3P) IMEs during the sign-in process," Microsoft recommended.

Read Microsoft's Complete Release Notes here