Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild. Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn’t include the 25 additional flaws that the tech giant addressed in its Chromium-based

The Hacker News
#vulnerability#web#android#windows#apple#google#microsoft#amazon#ubuntu#linux#debian#cisco#red_hat#apache#git#oracle#intel#rce#perl#vmware#aws#lenovo#samsung#auth#ibm#dell#zero_day#mongo#chrome#firefox#sap#The Hacker News

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.

Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn’t include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month.

Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day -

  • CVE-2024-43572 (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
  • CVE-2024-43573 (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
  • CVE-2024-43583 (CVSS score: 7.8) - Winlogon Elevation of Privilege Vulnerability
  • CVE-2024-20659 (CVSS score: 7.1) - Windows Hyper-V Security Feature Bypass Vulnerability
  • CVE-2024-6197 (CVSS score: 8.8) - Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)

It’s worth noting that CVE-2024-43573 is similar to CVE-2024-38112 and CVE-2024-43461, two other MSHTML spoofing flaws that have been exploited prior to July 2024 by the Void Banshee threat actor to deliver the Atlantida Stealer malware.

Microsoft makes no mention of how the two vulnerabilities are exploited in the wild, and by whom, or how widespread they are. It credited researchers Andres and Shady for reporting CVE-2024-43572, but no acknowledgment has been given for CVE-2024-43573, raising the possibility that it could be a case of patch bypass.

“Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

The active exploitation of CVE-2024-43572 and CVE-2024-43573 has also been noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added them to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 29, 2024.

Among all the flaws disclosed by Redmond on Tuesday, the most severe concerns a remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468, CVSS score: 9.8) that could allow unauthenticated actors to run arbitrary commands.

“An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database,” it said.

Two other Critical-rated severity flaws also relate to remote code execution in Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1).

“Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset,” Adam Barnett, lead software engineer at Rapid7, told about CVE-2024-43582.

“One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly.”

Software Patches from Other Vendors

Outside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

  • Adobe
  • Amazon Web Services
  • Apache Avro
  • Apple
  • AutomationDirect
  • Bosch
  • Broadcom (including VMware)
  • Cisco (including Splunk)
  • Citrix
  • CODESYS
  • Dell
  • Draytek
  • Drupal
  • F5
  • Fortinet
  • GitLab
  • Google Android
  • Google Chrome
  • Google Cloud
  • Hitachi Energy
  • HP
  • HP Enterprise (including Aruba Networks)
  • IBM
  • Intel
  • Ivanti
  • Jenkins
  • Juniper Networks
  • Lenovo
  • Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
  • MediaTek
  • Mitsubishi Electric
  • MongoDB
  • Mozilla Firefox, Firefox ESR, and Thunderbird
  • NVIDIA
  • Okta
  • Palo Alto Networks
  • Progress Software
  • QNAP
  • Qualcomm
  • Rockwell Automation
  • Salesforce Tableau
  • Samsung
  • SAP
  • Schneider Electric
  • Siemens
  • Sophos
  • Synology
  • Trend Micro
  • Veritas
  • Zoom, and
  • Zyxel

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues. 😉🎁 📹 Video on YouTube, LinkedIn🗞 Post on Habr (rus)🗒 Digest […]

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday? In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from […]

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices […]

What NIST’s latest password standards mean, and why the old ones weren’t working

Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach.

Patch Tuesday, October 2024 Edition

Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 "Sequoia" update that broke many cybersecurity tools.

Patch Tuesday, October 2024 Edition

Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 "Sequoia" update that broke many cybersecurity tools.

5 Zero-Days in Microsoft's October Update to Patch Immediately

Threat actors are actively exploiting two of the vulnerabilities, while three others are publicly known and ripe for attack.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

'Void Banshee' Exploits Second Microsoft Zero-Day

Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

'Void Banshee' Exploits Second Microsoft Zero-Day

Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

Microsoft Discloses 4 Zero-Days in September Update

This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.

Microsoft Discloses 4 Zero-Days in September Update

This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.

Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims

Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.

It's best to just assume you’ve been involved in a data breach somehow

Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers.

Void Banshee APT Exploits Microsoft Zero-Day in Spear-Phishing Attacks

The threat group used CVE-2024-38112 and a "zombie" version of IE to spread Atlantida Stealer through purported PDF versions of reference books.

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack

Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited

Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild. Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser

Microsoft Patch Tuesday, July 2024 Edition

Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

The Hacker News: Latest News

AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case