Microsoft has rolled out security updates addressing 118 vulnerabilities across its software ecosystem, two of which are actively exploited in the wild.
Among the 118 flaws, three are classified as Critical, 113 are rated as Important, and two as Moderate in severity. The Patch Tuesday update does not include 25 additional vulnerabilities that were patched in the company’s Chromium-based Edge browser over the past month.
Of particular note, five vulnerabilities were publicly known at the time of the update’s release, with two of these being actively exploited as zero-day vulnerabilities:
- CVE-2024-43572 (CVSS score: 7.8) – Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
- CVE-2024-43573 (CVSS score: 6.5) – Windows MSHTML Platform Spoofing Vulnerability (Exploitation detected)
- CVE-2024-43583 (CVSS score: 7.8) – Winlogon Elevation of Privilege Vulnerability
- CVE-2024-20659 (CVSS score: 7.1) – Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2024-6197 (CVSS score: 8.8) – Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)
It’s notable that CVE-2024-43573 bears similarities to other MSHTML spoofing vulnerabilities, CVE-2024-38112 and CVE-2024-43461 , both of which were exploited prior to July 2024 by the Void Banshee threat actor to distribute the Atlantida Stealer malware.
Microsoft has yet to provide details on how the two vulnerabilities in question are being actively exploited in the wild, who may be responsible for such exploitation, or how widespread the issues are. The company did acknowledge researchers Andres and Shady for discovering CVE-2024-43572, but no attribution has been given for CVE-2024-43573, raising speculation that it may involve a patch bypass.
“Following the discovery of CVE-2024-43572, Microsoft now blocks untrusted MSC files from being opened on systems,” said Satnam Narang, senior research engineer at Tenable, in a statement shared with The Hacker News .
Both CVE-2024-43572 and CVE-2024-43573 have been flagged as actively exploited by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added them to its Known Exploited Vulnerabilities (KEV) catalog. This addition requires federal agencies to implement patches for the vulnerabilities by October 29, 2024.
Among the vulnerabilities revealed by Microsoft on Tuesday, the most critical involves a remote code execution issue in Microsoft Configuration Manager (CVE-2024-43468), which carries a CVSS score of 9.8. If exploited, this flaw could allow unauthenticated attackers to run arbitrary commands on the system.
An unauthenticated attacker could exploit this issue by sending specially crafted requests to the target environment. These requests are handled in an unsafe manner, allowing the attacker to execute commands on the server or the underlying database,” read the advisory.
Two other Critical-rated vulnerabilities also pertain to remote code execution, impacting the Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and the Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1).
“Exploiting CVE-2024-43582 involves an attacker sending deliberately malformed packets to a Windows RPC host, leading to code execution in the context of the RPC service. However, the actual impact may vary depending on factors such as the RPC Interface Restriction configuration on the targeted asset,” Adam Barnett, lead software engineer at Rapid7, explained.
A silver lining in this scenario is that the attack complexity is quite high; the attacker would need to win a race condition in order to exploit memory improperly.
Recent Software Patches from Other Vendors
In addition to Microsoft’s recent security updates, numerous vendors have also released patches in the past few weeks to address various vulnerabilities. These include:
- Adobe
- Amazon Web Services
- Apache Avro
- Apple
- AutomationDirect
- Bosch
- Broadcom (including VMware)
- Cisco (including Splunk)
- Citrix
- CODESYS
- Dell
- DrayTek
- Drupal
- F5
- Fortinet
- GitLab
- Google Android
- Google Chrome
- Google Cloud
- Hitachi Energy
- HP
- HP Enterprise (including Aruba Networks)
- IBM
- Intel
- Ivanti
- Jenkins
- Juniper Networks
- Lenovo
- Linux Distributions : Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- MongoDB
- Mozilla : Firefox, Firefox ESR, and Thunderbird
- NVIDIA
- Okta
- Palo Alto Networks
- Progress Software
- QNAP
- Qualcomm
- Rockwell Automation
- Salesforce Tableau
- Samsung
- SAP
- Schneider Electric
- Siemens
- Sophos
- Synology
- Trend Micro
- Veritas
- Zoom
- Zyxel