Microsoft has taken significant steps to bolster the security of its software ecosystem by releasing updates that address a total of 118 vulnerabilities. Among these, two vulnerabilities have been identified as actively exploited in the wild, raising concerns for users and organizations alike.
Severity Ratings and Key Vulnerabilities
The vulnerabilities are categorized as follows:
- Critical: 3
- Important: 113
- Moderate: 2
Notably, the Patch Tuesday update does not encompass the 25 additional vulnerabilities that were recently addressed in Microsoft’s Chromium-based Edge browser. Among the 118 flaws, five are publicly known at the time of release, with two classified as zero-day vulnerabilities:
- CVE-2024-43572 (CVSS score: 7.8) – Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
- CVE-2024-43573 (CVSS score: 6.5) – Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
- CVE-2024-43583 (CVSS score: 7.8) – Winlogon Elevation of Privilege Vulnerability
- CVE-2024-20659 (CVSS score: 7.1) – Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2024-6197 (CVSS score: 8.8) – Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)
Interestingly, CVE-2024-43573 bears similarities to previous MSHTML spoofing flaws exploited by the Void Banshee threat actor, which were used to deliver the Atlantida Stealer malware prior to July 2024.
While Microsoft has not disclosed the specifics of how these vulnerabilities are being exploited or the identity of the attackers, they have acknowledged the contributions of researchers Andres and Shady for reporting CVE-2024-43572. However, the lack of acknowledgment for CVE-2024-43573 raises questions about potential patch bypass scenarios.
In response to the discovery of CVE-2024-43572, Microsoft has implemented measures to prevent untrusted MSC files from being opened on affected systems. This proactive approach underscores the urgency of addressing these vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also flagged the active exploitation of both CVE-2024-43572 and CVE-2024-43573, adding them to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are mandated to apply the necessary fixes by October 29, 2024.
Critical Vulnerabilities and Their Implications
Among the vulnerabilities disclosed, the most severe is a remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468), which carries a CVSS score of 9.8. This vulnerability could enable unauthenticated actors to execute arbitrary commands, posing a significant risk to organizations:
“An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner, enabling the attacker to execute commands on the server and/or underlying database,” Microsoft stated.
Additionally, two other critical vulnerabilities related to remote code execution have been identified in the Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and the Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1). Adam Barnett, lead software engineer at Rapid7, elaborated on the RDP vulnerability, noting that exploitation requires sending deliberately malformed packets to a Windows RPC host, which could lead to code execution in the context of the RPC service.
Despite the gravity of these vulnerabilities, there is a silver lining: the complexity of the attacks is high, as attackers must navigate a race condition to improperly access memory.
Software Patches from Other Vendors
In addition to Microsoft’s updates, various other vendors have also rolled out security patches in recent weeks to address several vulnerabilities, further emphasizing the importance of maintaining robust cybersecurity measures across all platforms.
