Microsoft Releases Major Security Update Addressing 118 Vulnerabilities

Microsoft has rolled out a comprehensive security update designed to fix 118 vulnerabilities across its vast software portfolio. Among these flaws, two have been flagged as actively exploited in the wild, underscoring the urgency for users to implement the patches immediately.

Overview

The recent Patch Tuesday update categorizes the vulnerabilities as follows:

• Critical: 3
• Important: 113
• Moderate: 2

Importantly, this update does not encompass the 25 additional vulnerabilities that Microsoft addressed in its Chromium-based Edge browser over the past month.

Five of the vulnerabilities were publicly known at the time of release, with two of them designated as zero-day vulnerabilities currently being exploited:

1. CVE-2024-43572 (CVSS score: 7.8) – Microsoft Management Console Remote Code Execution Vulnerability (Active Exploitation Detected)
2. CVE-2024-43573 (CVSS score: 6.5) – Windows MSHTML Platform Spoofing Vulnerability (Active Exploitation Detected)
3. CVE-2024-43583 (CVSS score: 7.8) – Winlogon Elevation of Privilege Vulnerability
4. CVE-2024-20659 (CVSS score: 7.1) – Windows Hyper-V Security Feature Bypass Vulnerability
5. CVE-2024-6197 (CVSS score: 8.8) – Open Source Curl Remote Code Execution Vulnerability (Non-Microsoft CVE)

Notably, CVE-2024-43573 is akin to previous MSHTML spoofing flaws exploited by the Void Banshee threat actor, which were leveraged to distribute the Atlantida Stealer malware prior to July 2024.

Details of Active Exploitation

While Microsoft has not provided specific details regarding how the two actively exploited vulnerabilities are being utilized or the scope of their impact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added them to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the fixes by October 29, 2024.

Satnam Narang, a senior staff research engineer at Tenable, commented on the situation: “Since the discovery of CVE-2024-43572, Microsoft has taken steps to prevent untrusted MSC files from being opened on affected systems.” However, the lack of acknowledgment for CVE-2024-43573 raises concerns about potential patch bypass tactics.

The Most Critical Vulnerabilities

Among the vulnerabilities disclosed, the most critical one is CVE-2024-43468, a remote execution flaw in Microsoft Configuration Manager with a staggering CVSS score of 9.8. This vulnerability could allow unauthenticated attackers to execute arbitrary commands by sending specially crafted requests, posing a significant risk to server and database security.

In addition to this, two other critical vulnerabilities are noteworthy:

• CVE-2024-43488 (CVSS score: 8.8) – Pertains to remote code execution in the Visual Studio Code extension for Arduino.
• CVE-2024-43582 (CVSS score: 8.1) – Relates to the Remote Desktop Protocol (RDP) Server, where exploitation requires an attacker to send deliberately malformed packets.

Adam Barnett, lead software engineer at Rapid7, described the complexities involved in exploiting CVE-2024-43582, stating that the attacker must win a race condition to improperly access memory.