Microsoft’s latest security update for October has unveiled a significant array of vulnerabilities, totaling 117, which includes two actively exploited flaws and three publicly disclosed but currently unexploited bugs. This update ranks as the third largest of the year in terms of disclosed Common Vulnerabilities and Exposures (CVEs), following April’s 147 CVEs and July’s 139 vulnerabilities.
A notable portion of these vulnerabilities, specifically 46, facilitates remote code execution (RCE), while an additional 28 allow threat actors to elevate their privileges. The remaining vulnerabilities encompass various risks, including spoofing and denial of service, impacting a diverse range of Microsoft technologies such as the Windows operating system, Hyper-V virtualization, Windows Kerberos, Azure, Power BI, and .NET components.
Actively Exploited Bugs
Among the vulnerabilities highlighted in this month’s update, two require immediate attention due to active exploitation by attackers. The first, CVE-2024-43573, is a spoofing vulnerability within MSHTML, the legacy browsing engine for Internet Explorer, which Microsoft continues to support for compatibility with modern versions. This flaw bears similarities to CVE-2024-38112 and CVE-2024-43461, both of which were disclosed earlier this year and have been exploited by the Void Banshee group. Notably, Microsoft has not credited any individual for reporting this particular vulnerability.
Experts from Trend Micro’s Zero Day Initiative caution organizations against underestimating the severity of CVE-2024-43573, despite Microsoft’s moderate severity rating. They emphasize the importance of prompt testing and deployment of the update, suggesting that the lack of acknowledgment from Microsoft may indicate an insufficient initial patch.
The second actively exploited vulnerability, CVE-2024-43572, pertains to an RCE flaw in the Microsoft Management Console (MMC). Microsoft has stated that its patch prevents untrusted Microsoft Saved Console (MSC) files from being opened, thereby safeguarding customers from associated risks. Earlier reports from Elastic Security noted that threat actors had been utilizing specially crafted MMC files, referred to as GrimResource, for initial access and evasion tactics, though it remains unclear if this campaign exploited CVE-2024-43572.
Publicly Known but Unexploited — for the Moment
Additionally, the October update includes three zero-day vulnerabilities that have yet to be exploited: CVE-2024-6197, an RCE vulnerability in the open-source cURL command line tool; CVE-2024-20659, a moderate severity security bypass vulnerability in Windows Hyper-V; and CVE-2024-43583, a WinLogon elevation of privilege vulnerability. Mike Walters, president and co-founder of Action 1, advises organizations to prioritize patching CVE-2024-6197, despite Microsoft’s assessment that it is less likely to be exploited. He anticipates that proof-of-concept code for this vulnerability will soon emerge, given its critical role in memory management for cURL, a tool essential for data transfers across various network protocols.
Walters also highlights the risks associated with CVE-2024-43583, particularly for organizations utilizing third-party input method editors (IMEs) that support multilingual typing. This vulnerability could be exploited as part of a broader attack chain, posing significant threats in global enterprises and educational institutions where multilingual support is vital.
Other Critical Bugs that Need Attention Now
Among the 117 vulnerabilities disclosed, Microsoft has classified three as critical, all of which are RCEs: CVE-2024-43468 in Microsoft Configuration Manager, CVE-2024-43582 in the Remote Desktop Protocol (RDP) server, and CVE-2024-43488 in the Visual Studio Code extension for Arduino Remote. CVE-2024-43468 raises concerns regarding memory safety within Microsoft Configuration Manager, with successful exploitation potentially allowing lateral movement across networks and the deployment of malicious configurations.
To mitigate risks, organizations are encouraged to patch this vulnerability promptly and consider using an alternate service account. Automox has also flagged CVE-2024-43533, a high-severity bug in RDP that enables arbitrary code execution on client machines, presenting a unique attack vector against clients rather than servers. This vulnerability could facilitate back-hacks, where attackers establish rogue RDP servers to exploit scanning activities from various entities, including nation-states and security firms.