Microsoft Patchday: Two Zeroday vulnerabilities are already under attack
For the Microsoft patch day in October, the developers are also sealing two security gaps that are already under attack in the wild.
Updates are available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Microsoft has released bug fixes for 117 CVE vulnerability entries for the October Patchday. Two of the vulnerabilities are already being attacked in the wild. "Abuse discovered" is how Microsoft summarizes this; the Microsoft Management Console and the Windows MSHTML platform are affected.
The release note for Microsoft's October Patchday lists all the security vulnerabilities that the company has addressed. Once again, products from all areas are affected by security leaks, from local Windows installations to Azure cloud software.
Vulnerabilities that have already been abused
Attackers can inject and execute malicious code in Microsoft's Management Console. From Microsoft's explanation of how the update works, it can be deduced that manipulated "untrusted Microsoft Saved Console (MSC) files" could trigger the error. These can no longer be loaded after the update (CVE-2024-43572, CVSS 7.8, risk"high"). In the Windows MSHTML platform, attackers have abused a cross-site scripting vulnerability to falsify ads (CVE-2024-43573, CVSS 6.5, medium). Microsoft does not describe how attacks can be detected in the security notifications, nor does the company mention any temporary countermeasures.
Videos by heise
Microsoft has also classified vulnerabilities as a critical risk. Firstly, a code-smuggling vulnerability in Microsoft Configuration Manager (CVE-2024-43468, CVSS 9.8, critical) and then a privilege escalation vulnerability in Windows Netlogon (CVE-2024-38124, CVSS 9.0, critical). Around a dozen reports just miss the highest risk level with a CVSS rating of 8.8.
IT managers should go through the CVE list and quickly download and install the available updates for the products used in their organization.
The update for Windows 11 24H2 (KB5044284) upgrades the operating system to build 26100.2033. Microsoft emphasizes that in particular a bug in the Remote Desktop Gateway service has been fixed, which caused the service to stop responding after use via RPC calls over HTTP and clients cut the connection. Microsoft would like to remind you that these are the last security updates for Windows 11 21H2 Edu and Enterprise as well as for Windows 11 22H2 Home and Pro. Anyone still using these Windows builds should quickly update to a supported version such as Windows 11 24H2.
In September, Microsoft also patched vulnerabilities that had already been attacked on Patchday. This involved a total of four vulnerabilities that criminals had previously abused in Publisher and Windows.
(dmk)
