Getty Images
Microsoft repairs 2 zero-days on October Patch Tuesday
Administrators will have to tackle 117 new vulnerabilities, including three rated critical, in this month's batch of security updates.
On October Patch Tuesday, Microsoft revealed that two Windows zero-days were actively exploited in the wild, which makes patching those vulnerable systems a priority for admins this month.
Microsoft addressed 117 new vulnerabilities, three rated critical, this month and added a fix for a non-Microsoft product: the curl command line tool used in Windows and in the company's CBL Mariner Linux OS. In addition to the two Windows zero-days, there were three other vulnerabilities that were publicly disclosed. Enterprises that rely on the Configuration Manager for on-premises device management should be aware of a particularly dangerous flaw in the systems administration tool that will require more work than just applying a patch to correct the problem.
Microsoft fixes five public disclosures, including two zero-days
The first zero-day, CVE-2024-43572, is a Microsoft Management Console remote-code execution vulnerability rated important with a CVSS score of 7.8. This flaw was also publicly disclosed.
This bug in the native management tool in Windows affects desktop and server systems. If the attacker convinces a user to open a malicious Microsoft Saved Console (MSC) file, then the threat actor could run arbitrary code on the victim's system.
Chris Goettl, vice president of security product management at Ivanti, told TechTarget Editorial a public disclosure puts added pressure on IT teams. It often means the security researcher who found the flaw also published working code.
"There is a risk that additional threat actors could get their hands on this very easily and take advantage of it, so that bumps up the urgency around getting this resolved," he said.
Deploying the Windows cumulative update for October protects the system by stopping suspicious MSC files from opening.
The second zero-day, CVE-2024-43573, is a Windows MSHTML platform spoofing vulnerability rated moderate with a CVSS rating of 6.5. This bug was also publicly disclosed. A successful exploit hinges on user interaction, which could give the threat actor access to sensitive information.
Microsoft no longer supports Internet Explorer in Windows. But its code remains part of the OS for backward compatibility, leaving systems vulnerable to exploits in MSHTML.
"It's a shared component in a lot of things, which opens up the ability to target users," Goettl said.
In addition to the two Windows zero-days, Microsoft also addressed three other publicly disclosed vulnerabilities.
A Winlogon elevation-of-privilege vulnerability, CVE-2024-43583, is rated important with a CVSS score of 7.8. Winlogon handles security matters related to the login process. If a threat actor exploits this flaw, then they could gain system-level permissions -- the highest possible tier of privilege -- on the device.
In addition to the patch, Microsoft recommends customers only use a first-party Input Method Editor and avoid third-party IMEs.
The fourth public disclosure is a Windows Hyper-V security feature bypass vulnerability, CVE-2024-20659, rated important with a CVSS score of 7.1. A threat actor could find a way to evade the protections on a Hyper-V host with Unified Extensible Firmware Interface to gain control of the hypervisor and secure kernel.
Microsoft gave this vulnerability an "exploitation less likely" assessment due to the number of conditions the attacker must meet for a successful exploit, including network access and convincing the user to reboot the system.
The last public disclosure is a curl remote-code execution vulnerability, CVE-2024-6197, rated important with a CVSS score of 8.8.
Curl is an open-source command-line tool used to send data using one of several protocols, such as HTTP, HTTPS or FTP. Microsoft ported this Linux tool to the Windows OS starting with Windows 10.
"The attacker would require a client to connect to a malicious server, and that could allow the attacker to gain control or code execution on the client," Goettl said.
Configuration Manager fix requires manual work
A Microsoft Configuration Manager remote-code execution vulnerability, CVE-2024-43468, is rated critical with a CVSS rating of 9.8.
A threat actor on the network can exploit the flaw by sending specially crafted requests to the target infrastructure, which would then allow them to run commands on the server or the underlying database. Microsoft said customers need to manually execute an in-console update, starting with the primary parent site server and finishing with the secondary site servers.
Microsoft recommends performing this type of update after business hours to avoid potential disruptions.
Goettl said most mature organizations have the mindset of assuming they've been breached when a vulnerability exists for their systems and will expedite patching for these types of flaws.
"This [vulnerability] is a pretty high risk. You want to get updated quickly because it's a bit more dangerous if somebody figures out how to exploit this," he said.
Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.