Introduction

In October 2024 [9], Microsoft released patches addressing 117 security vulnerabilities [9], including two critical zero-day vulnerabilities [9], CVE-2024-43572 and CVE-2024-43573 [3] [4] [5] [8] [9] [10] [11]. These vulnerabilities pose significant risks due to their potential for exploitation, necessitating immediate attention and remediation.

Description

Microsoft has released patches for 117 security vulnerabilities in October 2024, including two actively exploited zero-day vulnerabilities: CVE-2024-43572 and CVE-2024-43573 [4] [9] [11].

CVE-2024-43572 is a critical remote code execution (RCE) vulnerability affecting the Microsoft Management Console (MMC) [2] [4] [5] [8] [9] [10] [11], rated as “important” with a CVSS score of 7.8 [3] [11]. This flaw allows attackers to execute arbitrary code on vulnerable systems by exploiting specially crafted Microsoft saved console (MSC) files, often through social engineering tactics that convince users to open these files. Although the likelihood of exploitation may seem low due to the social engineering involved [6], the potential damage from an administrator loading a malicious snap-in necessitates prompt testing and deployment of the update [6]. The urgency to address this vulnerability is heightened due to its public disclosure [3], which may attract additional threat actors [3]. Millions of endpoints [10], particularly those using MMC for administrative tasks [10], are estimated to be vulnerable [10], especially if they have not installed the necessary security updates [10]. The patch modifies the behavior of MSC files to prevent untrusted files from being opened [5], thereby protecting users from exploitation attempts related to this vulnerability [2]. Earlier reports indicated that threat actors had been using specially crafted MMC files [4], referred to as GrimResource [4], for initial access and evasion tactics [4], although it remains unclear if these were directly linked to CVE-2024-43572 [4].

CVE-2024-43573 is a moderate spoofing vulnerability in the Windows MSHTML platform [2] [3] [5] [7] [9], with a CVSS score of 6.5 [3] [5] [7] [10] [11]. This vulnerability requires user interaction for exploitation [3], potentially allowing adversaries to mislead users into interacting with fraudulent interfaces, which can expose sensitive information and facilitate phishing or data compromise. It is actively exploited and resembles a previously patched bug associated with the advanced persistent threat (APT) group known as Void Banshee. This marks the fourth zero-day vulnerability in the Windows MSHTML platform in 2024 [5], following previous vulnerabilities such as CVE-2024-30040, CVE-2024-38112 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and CVE-2024-43461 [3] [4] [5] [6] [7] [8] [9] [10] [11], which were patched in May [5], July [5], and September 2024 [5], respectively [5]. Experts from Trend Micro’s Zero Day Initiative emphasize that organizations should prioritize addressing this vulnerability without delay due to its potential as an attack vector that relies on social engineering. Although Internet Explorer is no longer supported [3], the MSHTML technology remains in the operating system for backward compatibility [3], leaving systems vulnerable to exploits [3]. Notably, CVE-2024-38112 and CVE-2024-43461 were utilized in an exploit chain by the APT group Void Banshee to deliver the Atlantida Stealer malware. The risk is particularly significant for enterprises in sectors like finance and e-commerce that rely heavily on web interactions [10], especially those with weaker perimeter defenses [10].

Both vulnerabilities have been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog, mandating that federal agencies apply the necessary fixes by October 29, 2024 [7]. Microsoft has also issued guidance for system administrators to mitigate these vulnerabilities [1], recommending the implementation of robust monitoring systems to detect and prevent exploitation attempts [1]. Additionally, CISA advises organizations to enable multi-factor authentication (MFA) and enforce strict access controls to safeguard sensitive systems [1]. Regular vulnerability scanning and penetration testing are also recommended to identify and address potential security weaknesses [1]. Alongside these two zero-days [3], Microsoft has addressed three other publicly disclosed vulnerabilities [3].

Conclusion

The release of patches for these vulnerabilities underscores the critical need for organizations to remain vigilant and proactive in their cybersecurity efforts. Immediate implementation of the patches, along with recommended security measures such as multi-factor authentication and regular vulnerability assessments, is essential to mitigate risks. As threat landscapes evolve, continuous monitoring and adaptation of security strategies will be crucial in safeguarding systems against future vulnerabilities.

References

[1] https://nordicdefender.com/blog/microsoft-zero-day-vulnerabilities-exploited-cve-2024-43572-cve-2024-43573
[2] https://blog.talosintelligence.com/microsoft-patch-tuesday-october-2024/
[3] https://www.techtarget.com/searchWindowsServer/news/366613059/Microsoft-repairs-2-zero-days-on-October-Patch-Tuesday
[4] https://www.darkreading.com/vulnerabilities-threats/5-cves-microsofts-october-2024-update-patch-now
[5] https://www.tenable.com/blog/microsoft-october-2024-patch-tuesday-addresses-117-cves-cve-2024-43572-cve-2024-43573
[6] https://www.zerodayinitiative.com/blog/2024/10/8/the-october-2024-security-update-review
[7] https://thehackernews.com/2024/10/microsoft-issues-security-update-fixing.html
[8] https://krebsonsecurity.com/2024/10/patch-tuesday-october-2024-edition/
[9] https://www.helpnetsecurity.com/2024/10/08/cve-2024-43573-cve-2024-43572/
[10] https://www.infosecurity-magazine.com/news/microsoft-five-zerodays-patch/
[11] https://www.csoonline.com/article/3554938/microsoft-october-update-patches-two-zero-day-vulnerabilities-it-says-are-being-actively-exploited.html