On this notable second Tuesday of the month, the tech world turns its gaze to Patch Tuesday, a day synonymous with crucial updates aimed at addressing vulnerabilities in major software systems. This month, Microsoft has unveiled a substantial batch of 117 patches, including two that are currently being exploited by malicious actors, underscoring the urgency for users to take action.
Critical Vulnerabilities Unveiled
Among the most pressing concerns is CVE-2024-43572, a serious flaw rated at 7.8 that affects Microsoft’s Management Console. This vulnerability presents a significant risk, as it allows unauthorized local attackers to execute code on a machine through untrusted Microsoft Saved Console (MSC) files. These files serve as management utilities accessible via the Microsoft Management Console, and executing a compromised MSC file could lead to severe repercussions.
Microsoft categorizes this issue as a remote code execution vulnerability, although it requires an attacker to convince a victim to install the malicious file locally. The flaw is present across a range of systems, including Windows Server versions from 2008 to 2022, as well as Windows 10 and 11.
Another vulnerability under active exploitation is CVE-2024-43573, a moderate-risk spoofing flaw in MSHTML, the browser engine that once powered Internet Explorer. While Microsoft has phased out Internet Explorer, the underlying code remains embedded in Windows, leaving all Windows Server versions post-2012 R2 and many releases of Windows 10 vulnerable.
Additional Noteworthy Patches
In addition to the actively exploited vulnerabilities, Microsoft has released three other patches addressing previously known issues, although no exploitation code has yet been detected. These include:
- CVE-2024-6197: A CVSS 8.8 vulnerability in curl that could potentially infect users connecting to compromised servers.
- CVE-2024-43583: Another CVSS 8.8 flaw in Winlogon, allowing unauthenticated attackers to gain full system privileges.
- CVE-2024-20659: A CVSS 7.1 fix for Hyper-V that could compromise a machine’s secure kernel if the user is persuaded to reboot.
Among the remaining patches, two stand out due to their high CVSS scores: a critical 9.8 remote code execution vulnerability (CVE-2024-43468) in Microsoft Configuration Manager, which could enable remote code execution via SQL, and a 9.0 elevation of privilege flaw in Netlogon (CVE-2024-38124) that allows unauthenticated attackers to gain full administrative credentials without any user interaction.
The Best of the Rest
Adobe has also joined the October patch festivities, addressing 52 CVEs, none of which are currently under exploitation and all classified as low priority. The updates cover a variety of its products, including Commerce and Magento, FrameMaker, InDesign, InCopy, Dimension, Animate, Lightroom, 3D Painter, and Substance 3D Stager.
SAP, on the other hand, reported a dozen issues, six of which are re-patches for previously addressed vulnerabilities. The most concerning of these is CVE-2024-41730, a 9.8-rated BusinessObjects bug that SAP attempted to patch back in August but requires further attention. Additionally, a new flaw, CVE-2022-23302, rated at 8.0, affects JMSSink in Apache Log4j 1.x, impacting users of SAP Enterprise Project Connection. Users have also been alerted to new fixes for BusinessObjects Business Intelligence Platform, Commerce Backoffice, NetWeaver Enterprise Portal, and HANA.
