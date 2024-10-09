Microsoft’s October Patch Tuesday drop has arrived, addressing a total of five publicly disclosed zero-day vulnerabilities – two of them exploited in the wild, and three other critical issues for attention – in a relatively large update.

Although moderate in their severity, carrying CVSS scores of 7.8 and 6.5 respectively, the two exploited zero-days should be top of mind for security teams this month, with one a remote code execution vulnerability in Microsoft Management Console – CVE-2024-43572 – and the other a spoofing vulnerability in Windows MSHTLM Platform – CVE-2024-45373.

“October is Cyber Security Awareness Month! What better way to stay cyber-aware than to read up on the latest security updates hitting the market,” said Ivanti security products vice-president Chris Goettl.

“Microsoft resolved 117 new CVEs this month, three of which are rated critical by Microsoft. This month’s line-up has two zero-day exploits that have also been publicly disclosed putting them at risk of more widespread exploitation. Both of the zero-day vulnerabilities are resolved by this month’s Windows OS update, making that your top priority to reduce risk quickly.”

Of these two, the Microsoft Management Console issue should be urgently addressed, explained Immersive Labs senior director of threat research Kev Breen.

“While the notes say remote code execution this vulnerability requires user interaction and some degree of social engineering,” he said. “To exploit this vulnerability an attacker must craft a malicious .msc file that, if opened, will run arbitrary code or commands that allow a threat actor to compromise the host.

“This file would typically be sent via email as an attachment or as a link to a download,” said Breen. “After patching, security teams and threat hunters should proactively check historical logs for indicators of these files being sent and received.”

Monitoring and blocking Breen added that those not able to deploy the patch right away should consider adding additional monitoring and blocking rules targeting .msc files – the fix deployed also prevents these from executing on the system. Meanwhile, Breen’s colleague Nikolas Cemerikic, cyber security engineer at Immersive Labs, ran the rule over CVE-2024-45373. He said: “The vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate due to the way the platform handles certain web elements. “Once a user is deceived into interacting with this content, typically through phishing attacks, the attacker can potentially gain unauthorised access to sensitive information or manipulate web-based services. Importantly, this attack requires no special permissions or knowledge of the user’s system, making it relatively easy for cyber criminals to execute.” Though rated lower in severity, it is already being exploited which makes it a serious concern for large organisations, particularly those running a lot of legacy web applications – the MSHTML platform underpins the now-retired Internet Explorer, for example – which is still widely used for compatibility reasons. This, said Cemerikic, creates risk for employees using older systems in their everyday work, “especially if they are accessing sensitive data or performing financial transactions online”.