Microsoft issues 117 patches – some for flaws already under attack

Patch Tuesday It's the second Tuesday of the month, which means Patch Tuesday, bringing with it fixes for numerous flaws, bugs and vulnerabilities in major software. And this one is a doozy.

Microsoft has delivered 117 patches – two of which are for vulnerabilities under active exploitation – and plenty of others that are sufficiently serious that they deserve your rapid attention.

The most serious flaw already being exploited by malfeasants is CVE-2024-43572 – a 7.8-rated problem with Microsoft's Management Console that would allow an unauthorized local attacker to run code on a machine using untrusted Microsoft Saved Console (MSC) files. Such files are essentially management utilities that can be accessed from the Microsoft Management Console. Running a bad MSC file could have nasty consequences.

Microsoft rates this as a remote code execution flaw, with a caveat that an attacker would be remote and must somehow convince a victim to install the file locally.

The flaw is present in Windows Server 2008 through 2022. Windows 10 and 11 are also at risk.

The other exploited issue is CVE-2024-43573 – a CVSS 6.5 spoofing flaw in MSHTML that Microsoft describes as a moderate risk.

Yes, you remembered right: MSHTML is the browser engine that powered Internet Explorer, which Microsoft snuffed several years back. But the code lives on inside Windows, and all versions of Windows Server after 2012 R2 are vulnerable. So are many releases of Windows 10.

Three other patches have been issued for vulnerabilities that have already been published, although no exploitation code has been detected. There's a CVSS 8.8 in curl (CVE-2024-6197) that could be used to infect someone who connected to the wrong server, a CVSS 8.8 flaw (CVE-2024-43583) in Winlogon that would allow an unauthenticated attacker to get full System privileges, and a 7.1 fix (CVE-2024-20659) for Hyper-V that could defeat a machine's secure kernel if the user can be persuaded to reboot.

Of the remainder, the two most serious patches by CVSS score are a 9.8 remote code execution vulnerability (CVE-2024-43468) in Microsoft Configuration Manager that would allow remote code execution via SQL and a 9.0 elevation of privilege flaw in Netlogon (CVE-2024-38124) that would let an unauthenticated attacker get full admin credentials with no user interaction required.

• 'Critical' CUPS vulnerability chain easy to use for massive DDoS attacks
• 'Patch yesterday': Zimbra mail servers under siege through RCE vuln
• Tesla Cybertruck recalled again. This time, a software fix for backup camera glitch
• Windows 11 Patch Tuesday preview is a glitchy disaster

The best of the rest

Adobe brought 52 CVEs to October's patch party – none of them under exploitation and all low priority.

The graphics and publishing mainstay issued patches for its Commerce and Magento, FrameMaker, InDesign, InCopy, Dimension, Animate, Lightroom, and 3D Painter, and Substance 3D Stager packages.

SAP reported a dozen issues – six of which are patches for previous patches.

The worst of the re-patches covers CVE-2024-41730, a 9.8-rated BusinessObjects bug the ERP giant tried to patch back in August but which needs another fix.

The worst of the new flaws is CVE-2022-23302, a CVSS 8.0 problem with JMSSink in Apache Log4j 1.x that impacts users of SAP Enterprise Project Connection. Users have also been warned of fresh fixes for BusinessObjects Business Intelligence Platform, Commerce Backoffice, NetWeaver Enterprise Portal, and HANA. ®