Headline
Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild
Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild. Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn’t include the 25 additional flaws that the tech giant addressed in its Chromium-based
Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.
Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn’t include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month.
Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day -
- CVE-2024-43572 (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
- CVE-2024-43573 (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
- CVE-2024-43583 (CVSS score: 7.8) - Winlogon Elevation of Privilege Vulnerability
- CVE-2024-20659 (CVSS score: 7.1) - Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2024-6197 (CVSS score: 8.8) - Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)
It’s worth noting that CVE-2024-43573 is similar to CVE-2024-38112 and CVE-2024-43461, two other MSHTML spoofing flaws that have been exploited prior to July 2024 by the Void Banshee threat actor to deliver the Atlantida Stealer malware.
Microsoft makes no mention of how the two vulnerabilities are exploited in the wild, and by whom, or how widespread they are. It credited researchers Andres and Shady for reporting CVE-2024-43572, but no acknowledgment has been given for CVE-2024-43573, raising the possibility that it could be a case of patch bypass.
“Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.
The active exploitation of CVE-2024-43572 and CVE-2024-43573 has also been noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added them to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 29, 2024.
Among all the flaws disclosed by Redmond on Tuesday, the most severe concerns a remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468, CVSS score: 9.8) that could allow unauthenticated actors to run arbitrary commands.
“An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database,” it said.
Two other Critical-rated severity flaws also relate to remote code execution in Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1).
“Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset,” Adam Barnett, lead software engineer at Rapid7, told about CVE-2024-43582.
“One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly.”
Software Patches from Other Vendors
Outside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
- Adobe
- Amazon Web Services
- Apache Avro
- Apple
- AutomationDirect
- Bosch
- Broadcom (including VMware)
- Cisco (including Splunk)
- Citrix
- CODESYS
- Dell
- Draytek
- Drupal
- F5
- Fortinet
- GitLab
- Google Android
- Google Chrome
- Google Cloud
- Hitachi Energy
- HP
- HP Enterprise (including Aruba Networks)
- IBM
- Intel
- Ivanti
- Jenkins
- Juniper Networks
- Lenovo
- Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- MongoDB
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NVIDIA
- Okta
- Palo Alto Networks
- Progress Software
- QNAP
- Qualcomm
- Rockwell Automation
- Salesforce Tableau
- Samsung
- SAP
- Schneider Electric
- Siemens
- Sophos
- Synology
- Trend Micro
- Veritas
- Zoom, and
- Zyxel
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday? In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from […]
September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices […]
Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach.
Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 "Sequoia" update that broke many cybersecurity tools.
Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 "Sequoia" update that broke many cybersecurity tools.
Threat actors are actively exploiting two of the vulnerabilities, while three others are publicly known and ripe for attack.
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.
Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.
Microsoft's September 2024 Patch Tuesday is here. Make sure you’ve applied the necessary patches!
Microsoft's September 2024 Patch Tuesday is here. Make sure you’ve applied the necessary patches!
This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.
This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.
Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.
Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.
The threat group used CVE-2024-38112 and a "zombie" version of IE to spread Atlantida Stealer through purported PDF versions of reference books.
An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack
Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild. Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser
Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.