Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.
Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn’t include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month.
Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day –
- CVE-2024-43572 (CVSS score: 7.8) – Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
- CVE-2024-43573 (CVSS score: 6.5) – Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
- CVE-2024-43583 (CVSS score: 7.8) – Winlogon Elevation of Privilege Vulnerability
- CVE-2024-20659 (CVSS score: 7.1) – Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2024-6197 (CVSS score: 8.8) – Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)
It’s worth noting that CVE-2024-43573 is similar to CVE-2024-38112 and CVE-2024-43461, two other MSHTML spoofing flaws that have been exploited prior to July 2024 by the Void Banshee threat actor to deliver the Atlantida Stealer malware.
Microsoft makes no mention of how the two vulnerabilities are exploited in the wild, and by whom, or how widespread they are. It credited researchers Andres and Shady for reporting CVE-2024-43572, but no acknowledgment has been given for CVE-2024-43573, raising the possibility that it could be a case of patch bypass.
“Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.
The active exploitation of CVE-2024-43572 and CVE-2024-43573 has also been noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added them to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 29, 2024.
Among all the flaws disclosed by Redmond on Tuesday, the most severe concerns a remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468, CVSS score: 9.8) that could allow unauthenticated actors to run arbitrary commands.
“An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database,” it said.
Two other Critical-rated severity flaws also relate to remote code execution in Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1).
“Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset,” Adam Barnett, lead software engineer at Rapid7, told about CVE-2024-43582.
“One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly.”
Software Patches from Other Vendors
Outside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
