News
Microsoft Targets 118 Vulnerabilities in October Patch Rollout
Microsoft has released its third-largest monthly security update of the year, with October's rollout addressing 118 vulnerabilities, including two that are under active exploit.
April's rollout was the largest of 2024 so far, with 147 fixes, followed closely by July's, which addressed 143.
October's security update included five publicly disclosed vulnerabilities, two of which have already been exploited:
- CVE-2024-43573: This is a spoofing vulnerability that affects Windows MSHTML, the rendering engine that powers applications including Internet Explorer. Marked "moderate," this vulnerability affects all Windows versions except for Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.
- CVE-2024-43572: This is an "important" remote code execution vulnerability affecting the Microsoft Management Console. Microsoft advises patching this flaw to prevent "untrusted Microsoft Saved Console (MSC) files from being opened."
The other three disclosed vulnerabilities have not shown signs of active exploit, though Microsoft considers them "important" to patch:
- CVE-2024-6197: A remote code execution flaw affecting Windows cURL Implementation. This flaw is less likely to be exploited, per Microsoft, because it requires user action to enable an attack.
- CVE-2024-43583: An elevation-of-privilege vulnerability affecting Winlogon that could give attackers system privileges if left unpatched.
- CVE-2024-20659: This Hyper-V vulnerability can allow attackers to bypass a Unified Extensible Firmware Interface (UEFI) host machine and compromise the virtual machine inside it.
There were three vulnerabilities marked "critical," all of them involving remove code execution:
- CVE-2024-43582: Affects Windows Remote Desktop. "To exploit this vulnerability, an unauthenticated attacker would need to send malformed packets to a RPC host," said Microsoft. "This could result in remote code execution on the server side with the same permissions as the RPC service."
- CVE-2024-43488: Affects Visual Studio Code extension for Arduino. Microsoft has already mitigated this particular vulnerability, according to its advisory, so IT doesn't have to take further action to patch it.
- CVE-2024-43468: Affects Microsoft Configuration Manager. Per Microsoft, "An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database."
Microsoft's full October patch update can be accessed here.