Thursday, November 21, 2024

Five Zero-Day Vulnerabilities Scheduled for Resolution on October Patch Tuesday

Microsoft just rolled out its October Patch Tuesday update, fixing five publicly known zero-day vulnerabilities. Out of these, two have been exploited in the wild, making them urgent priorities for security teams this month. The first is a remote code execution vulnerability in the Microsoft Management Console (CVE-2024-43572), and the second is a spoofing vulnerability in the Windows MSHTML Platform (CVE-2024-45373). These vulnerabilities have CVSS scores of 7.8 and 6.5, respectively, so they deserve immediate attention.

Chris Goettl, vice president of security products at Ivanti, highlighted the importance of staying updated during Cyber Security Awareness Month, noting that Microsoft addressed 117 new CVEs this month alone, including three critical ones. “The zero-day exploits are publicly disclosed, which could lead to increased attempts to exploit them,” he said. He urged users to prioritize this month’s Windows OS update to mitigate the risks quickly.

Kev Breen from Immersive Labs stressed the need to act on the Microsoft Management Console vulnerability, stating that while it involves remote code execution, it requires user interaction and some social engineering tactics. Attackers need to create a malicious .msc file that, when opened, runs arbitrary code. This file is often sent as an email attachment or a download link. After patching, security teams should review historical logs for any indicators of these files being shared.

For organizations unable to deploy the patch immediately, Breen suggested implementing additional monitoring rules for .msc files, as the update will block their execution.

Nikolas Cemerikic, another cyber security engineer at Immersive Labs, explained the risk tied to the MSHTML vulnerability. It tricks users into visiting malicious web content that looks legitimate, typically via phishing attacks. “This could allow unauthorized access to sensitive information, and attackers don’t need special permissions to exploit it,” he noted. Although ranked lower in severity, this vulnerability poses a significant risk for larger organizations, especially those stuck on legacy web applications like Internet Explorer.

As for the remaining vulnerabilities, they include CVE-2024-6197, a remote code execution issue in Open Source Curl; CVE-2024-20659, a security feature bypass in Windows Hyper-V; and CVE-2024-43583, an elevation of privilege flaw in Winlogon. These three are rated between 7 and 8 on the CVSS scale, but thankfully, none are currently known to be actively exploited.

Mike Walters from Action1 pointed out the Curl library issue, which comes from improper memory management that could allow code execution. While Windows doesn’t typically include Curl, its command-line tool does, so this is still a worthy alert. Exploiting this flaw could lead to remote code execution, turning compromised systems into channels for data breaches or malware distribution.

The Winlogon vulnerability arises from improper process handling during login, particularly involving Input Method Editors. Walters noted that attackers could leverage this flaw after gaining initial access, making it an entry point for deeper network penetration, especially in organizations using third-party IMEs.

Lastly, the Hyper-V vulnerability may be less likely to be exploited, as it’s tied to specific hardware setups and requires local network access. Tyler Reguly from Fortra pointed out the conditions under which it could be exploited, emphasizing that these criteria make widespread exploitation less probable.