October 2024 Patch Tuesday: Two Zero-Days and Three Critical Vulnerabilities Amid 118 CVEs

Microsoft has released security updates for 118 vulnerabilities in its October 2024 Patch Tuesday rollout. These include two actively exploited zero-days (CVE-2024-43573, CVE-2024-43572). Three of the vulnerabilities are rated Critical in severity, while the remaining 115 are rated Important or Moderate.

October 2024 Risk Analysis

This month’s leading risk type is elevation of privilege (37%), followed by remote code execution (35%) and denial-of-service (22%).

Pie chart showing different vulnerabilities by attack techniques. Figure 1. Breakdown of October 2024 Patch Tuesday vulnerabilities by attack techniques
Windows products received the most patches this month with 94, followed by Extended Security Update (ESU) with 50 and Developer Tools with 9.
Bar chart showing product families affected by Patch Tuesday Figure 2. Breakdown of product families affected by October 2024 Patch Tuesday

Actively Exploited Zero-Day Vulnerability in Microsoft Management Console

Microsoft Management Console received a patch for CVE-2024-43572, which has a severity of Important and a CVSS score of 7.8. This remote code execution (RCE) vulnerability allows malicious Microsoft Saved Console (MSC) files to perform RCE on underlying devices. 

MSC files are associated with the Windows Command Prompt and PowerShell environments. These files are used to store the state and content of a console window, which can include sensitive information such as command history. Microsoft has not released details on how this vulnerability is being exploited; however, the security update will prevent untrusted MSC files from being opened.

Table 1. Zero-day in Microsoft Management Console
SeverityCVSS ScoreCVEDescription
Important7.8CVE-2024-43572Microsoft Management Console Remote Code Execution Vulnerability

Severity CVSS Score CVE Description Important 7.8 CVE-2024-43572 Microsoft Management Console Remote Code Execution Vulnerability

Actively Exploited Zero-Day Vulnerability in Windows MSHTML Platform

The Windows MSHTML Platform received a patch for CVE-2024-43573, which has a severity of Moderate and a CVSS score of 6.5. This spoofing vulnerability exists in the Windows MSHTML Platform, which is commonly used throughout Microsoft 365 and Microsoft Office products. It also affects Internet Explorer 11 and Legacy Microsoft Edge browsers on certain platforms and Windows applications. 

Microsoft has not shared details of the vulnerability or source of disclosure. MSHTML has been targeted multiple times over the years (July 2024, May 2024, July 2023, December 2023, May 2023), making it a prime target for threat actors.

 

Table 2. Zero-day in Windows MSHTML Platform

SeverityCVSS ScoreCVEDescription
Moderate6.5CVE-2024-43573Windows MSHTML Platform Spoofing Vulnerability

Critical Vulnerabilities in Configuration Manager, Visual Studio Code and Remote Desktop Protocol Server

CVE-2024-43468 is a Critical RCE vulnerability affecting Microsoft Configuration Manager and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows unauthenticated attackers to execute code remotely. Microsoft Configuration Manager is part of Microsoft Intune, which is a family of products that enables software distribution and updates, inventory, settings management and remote control. Microsoft advises customers using the affected version to install an in-console update in order to be protected.

CVE-2024-43488 is a Critical RCE vulnerability affecting Visual Studio Code extension for Arduino and has a CVSS score of 8.8. The flaw stems from a lack of proper authentication for crucial functions within the Arduino extension. This allows attackers to execute code remotely on affected systems through network-based attacks. As a form of mitigation, Microsoft has removed the extension from its Visual Studio Code marketplace and deprecated it since October 1, 2024. Microsoft recommends its customers use Arduino IDE software instead.

CVE-2024-43582 is a Critical RCE vulnerability affecting Remote Desktop Protocol Server and has a CVSS score of 8.1. This allows a remote, unauthenticated attacker to gain arbitrary code execution at elevated levels by sending specially crafted Remote Procedure Call (RPC) requests. Successful exploitation of this vulnerability requires the malicious actor to win a race condition. Given the characteristics of this bug, this has the potential to be self-propagating (wormable) if not mitigated urgently and effectively.

 

Table 3. Critical vulnerabilities in Configuration Manager, Visual Studio Code and Remote Desktop Protocol Server
SeverityCVSS ScoreCVEDescription
Critical9.8CVE-2024-43468Microsoft Configuration Manager Remote Code Execution Vulnerability
Critical8.8CVE-2024-43488Visual Studio Code Extension for Arduino Remote Code Execution Vulnerability
Critical8.1CVE-2024-43582Remote Desktop Protocol Server Remote Code Execution Vulnerability

Patch Tuesday Dashboard in the Falcon Platform

For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our newly available Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

  • For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
  • See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
  • Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
  • Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
  • Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.
Breaches Stop Here