In this month's October 2024 Patch Tuesday, Microsoft addressed 118 vulnerabilities, including five zero-day vulnerabilities, two of which are being actively exploited in the wild. This month’s update is larger than the September 2024 release, which addressed 79 vulnerabilities. Notably, three critical remote code execution (RCE) vulnerabilities were patched, emphasizing the need for timely updates across all systems.
This update includes fixes for 42 remote code execution vulnerabilities, 28 elevation of privilege vulnerabilities, and 26 denial of service vulnerabilities, making it crucial for security teams to focus on the most urgent patches.
CVE-2024-43572: This remote code execution (RCE) vulnerability affects the Microsoft Management Console due to improper neutralization of malformed messages. It is rated high in severity with a CVSS score of 7.8. Public functional exploit code is available, and the vulnerability is already being exploited in the wild.
Why it’s important: Exploitation could give attackers unauthorized system access.
CVE-2024-43573: A spoofing vulnerability in the Windows MSHTML Platform that facilitates cross-site scripting (XSS) attacks. Rated medium severity with a CVSS score of 6.5, it is being actively exploited, and public exploit code is available. Microsoft urges rapid patching, as this flaw can bypass key security controls in Microsoft Edge’s Internet Explorer mode and other web browser-based applications.
Why it’s important: XSS vulnerabilities can be leveraged in phishing attacks or for unauthorized file execution, exposing sensitive data.
Publicly disclosed zero-days
CVE-2024-6197: This remote code execution (RCE) vulnerability in the cURL command-line tool allows attackers to exploit connections between a client and a malicious server. Rated highly severe with a CVSS score of 8.8, it allows code execution in the context of the user running the cURL command.
Why it’s important: While exploitation commonly results in crashes, RCE is possible, making this flaw a serious threat, particularly in environments relying on open-source tools.
CVE-2024-20659: A security bypass vulnerability in Windows Hyper-V, which enables attackers to bypass the Unified Extensible Firmware Interface (UEFI), potentially compromising the hypervisor. Rated high severity with a CVSS score of 7.1, exploitation is highly complex and requires multiple conditions, including access to a restricted network and a reboot.
Why it’s important: Despite the complexity of exploitation, attackers could completely compromise the hypervisor, making it essential for organizations to apply patches promptly. Successful exploitation could result in complete compromise of the hypervisor kernel, risking full control over the virtual machine environment.
CVE-2024-43583: This elevation of privilege (EoP) vulnerability in Winlogon can be exploited through a third-party Input Method Editor (IME) during the sign-on process. The flaw allows attackers to achieve SYSTEM-level privileges.
Why it’s important: The ability to escalate privileges makes this a high-risk vulnerability. Immediate patching is recommended, and disabling third-party IMEs can reduce the attack surface. Microsoft’s KB5046254 provides detailed guidance on disabling non-Microsoft IMEs to mitigate this risk, particularly for organizations using third-party IMEs in multi-language environments.
Three critical vulnerabilities were addressed in this update:
CVE-2024-43468: This remote code execution (RCE) vulnerability in Microsoft Configuration Manager has a CVSS score of 9.8, making it the most severe risk by technical score in this month’s update. It is exploitable through a no-interaction, unauthenticated network attack, leading to code execution on the Configuration Manager server or database via a specially crafted request.
Why it’s important: The potential for unauthorized command execution and compromise of critical infrastructure makes this a high-priority patch.
CVE-2024-43488: A remote code execution vulnerability in the Visual Studio Code extension for Arduino, this issue arises from missing authentication. While Microsoft has deprecated the extension, the flaw still poses a threat through unauthenticated network attacks.
Why it’s important: Although deprecated, unpatched systems could still be vulnerable to remote attacks, emphasizing the need for mitigation.
CVE-2024-43582: This remote code execution (RCE) vulnerability in the Remote Desktop Protocol Server allows attackers to send malformed packets to the RPC host, executing code with the same privileges as the RPC service. While attack complexity is high, exploitation is critical, as the attacker can take full control of the server.
Why it’s important: Given the widespread use of RDP in enterprise environments, this vulnerability could lead to severe security breaches.
42 Remote Code Execution (RCE) vulnerabilities
28 Elevation of Privilege (EoP) vulnerabilities
26 Denial of Service (DoS) vulnerabilities
7 Spoofing vulnerabilities
7 Security Feature Bypass (SFB) vulnerabilities
6 Information Disclosure vulnerabilities
1 Tampering vulnerability
The October 2024 Patch Tuesday update highlights the limitations of alert-based patching compared to proactive vulnerability detection and management. Several critical vulnerabilities, including CVE-2024-43583 and CVE-2024-6197, were publicly disclosed well before being patched, leaving systems exposed to exploitation.
Confusion around updates like KB29166583 for CVE-2024-43468 further demonstrates the delays and gaps in security that occur when relying on alerts. Additionally, we saw that two zero-days, CVE-2024-43572 and CVE-2024-43573, were already being exploited in the wild before patches were available.
We recommend that organizations scan their internet-facing infrastructure for technologies vulnerable to the CVEs described in this month’s Patch Tuesday. For prioritization do not rely on CVSS scores calculated purely on technical impact, consider the asset and its business importance too. To expedite remediation ensure that the team’s responsible for remediation are equipped with all of the information they need. Hadrian’s platform streamlines vulnerability management by automating time-consuming tasks for security teams.
The complete list of the October 2024 Patch Tuesday updates can be found here.