{"id":547,"date":"2024-10-09T16:52:28","date_gmt":"2024-10-09T16:52:28","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=547"},"modified":"2024-10-09T16:52:28","modified_gmt":"2024-10-09T16:52:28","slug":"microsoft-october-update-patches-two-zero-day-vulnerabilities-it-says-are-being-actively-exploited","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=547","title":{"rendered":"Microsoft October update patches two zero-day vulnerabilities it says are being actively exploited"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The drama of Patch Tuesday often revolves around zero days, which in October\u2019s haul of 117 vulnerabilities<\/a> brings patch managers a total of five that have been publicly disclosed.<\/p>\n

Of those, Microsoft said that two are being actively exploited. The first is CVE-2024-43573<\/a>, intriguingly a spoofing flaw in the Windows MSHTML component.<\/p>\n

If this doesn\u2019t ring any bells, MSHTML is the old Internet Explorer html, CSS and JavaScript rendering engine maintained within Windows to allow backwards compatibility with the long tail of websites still optimized for IE and legacy versions of the pre-Chromium Edge browser.<\/p>\n

The last version of IE, version 11, vanished for good from desktops more than two years ago and yet here we have a forgotten fragment that continues to cause trouble.<\/p>\n

As Microsoft puts it in the advisory: \u201cWhile Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported.\u201d<\/p>\n

Although rated as \u201cmoderate\u201d severity with a common vulnerability scoring system (CVSS) of 6.5, CVE-2024-43573<\/a> is publicly disclosed and therefore a threat to Windows users as well as Microsoft 365 and Microsoft Office.<\/p>\n

Microsoft offers little detail on the flaw but its \u201cspoofing\u201d is interesting. That suggests this is yet another example of attackers finding a way to hide a malicious file behind an innocent-looking file extension the user is tricked into clicking.<\/p>\n

It\u2019s also, notably, the fourth time MSHTML has been exploited in a handful of months, with previous examples being CVE-2024-30040<\/a>, CVE-2024-38112<\/a>, and CVE-2024-43461<\/a>.<\/p>\n

\u201cExploitation detected\u201d<\/h2>\n

The second exploited zero day, CVE-2024-43572<\/a>, is arguably the most serious. Rated as \u201cimportant\u201d and with a CVSS score of 7.8, this is a remote code exploit (RCE) vulnerability in Microsoft Management Console (MMC). Exploiting this flaw would involve tricking a user into opening a malicious Microsoft saved console (MSC) file.<\/p>\n

This is the second such significant vulnerability in MMC in consecutive months, following September\u2019s CVE-2024-38259<\/a>. Microsoft\u2019s solution for October\u2019s update: stop users from opening untrusted MSC files:<\/p>\n

\u201cThe security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability.\u201d<\/p>\n

Remaining zero days<\/h2>\n

The other three zero days Microsoft doesn\u2019t believe are being exploited are CVE-2024-6197<\/a>, CVE-2024-20659<\/a>, and CVE-2024-43583<\/a>. Of those, CVE-2024-6197<\/a> and CVE-2024-43583<\/a> are probably the two to watch, the first and RCE in the non-Microsoft but widely installed Curl command line tool, the second an elevation of privileges flaw that could give an attacker could use to gain system privileges.<\/p>\n

The final, CVE-2024-6197<\/a>, is a curious issue that might allow an attacker to target a VM hypervisor.<\/p>\n

\u201cOn some specific hardware it might be possible to bypass the UEFI [firmware], which could lead to the compromise of the hypervisor and the secure kernel,\u201d said Microsoft.<\/p>\n

If a zero day isn\u2019t being exploited, does it really count? What matters to Microsoft \u2014 and to system admins \u2014 is that it\u2019s been disclosed before a patch is available. That public status significantly raises the risk of a future exploit appearing should cybercriminals work out how to exploit it.<\/p>\n

Big numbers<\/h2>\n

The other way to judge the severity of a vulnerability is to look at its CVSS score. On that score, several other flaws stand out, principally CVE-2024-43468<\/a>, an RCE in Microsoft Configuration Manager with a \u201ccritical\u201d rated CVSS score of 9.8, and CVE-2024-43488<\/a>, an issue in the Arduino extension for Visual Studio which Microsoft has already mitigated.<\/p>\n

However, one that every security manager will jump on is CVE-2024-43582<\/a>, a critical RCE vulnerability with an 8.1 CVSS score in Remote Desktop Protocol (RDP) server, an interface ransomware attackers in particular love to target.<\/p>\n

In total, eight vulnerabilities were tagged \u201cexploitation more likely,\u201d Microsoft\u2019s way of signalling that an exploit is likely within weeks. As ever, getting ahead of these is about applying this week\u2019s patches and mitigations.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The drama of Patch Tuesday often revolves around zero days, which in October\u2019s haul of 117 vulnerabilities brings patch managers a total of five that have been publicly disclosed. Of those, Microsoft said that two are being actively exploited. The first is CVE-2024-43573, intriguingly a spoofing flaw in the Windows MSHTML component. If this doesn\u2019t […]<\/p>\n","protected":false},"author":0,"featured_media":548,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-547","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/547"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=547"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/547\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/548"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}