The Cybersecurity & Infrastructure Security Agency (CISA) has added two of the five zero-day vulnerabilities from Microsoft’s October Patch Tuesday to its catalog of actively exploited vulnerabilities due to evidence of active exploitation. The critical vulnerabilities include:

• CVE-2024-43572 (CVSS score 7.8 out of 10): Microsoft Windows Management Console Remote Code Execution (RCE) vulnerability. This security update blocks untrusted Microsoft Saved Console (MSC) files from being opened, helping to protect users from potential exploitation.
• CVE-2024-43573  (CVSS score 6.5 out of 10): Microsoft Windows MSHTML Platform Spoofing vulnerability. Despite the deprecation of Internet Explorer 11 and Microsoft Edge Legacy, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. This latest vulnerability suggests that the September patch for CVE-2024-43461 may have been insufficient, as the MSHTML platform remains a target. An APT group known as Void Banshee has exploited these vulnerabilities, using HTML Application (HTA) files disguised as PDFs, taking advantage of Internet Explorer’s file download prompts.

Three publicly disclosed zero-day vulnerabilities that were addressed:

• CVE-2024-6197 (CVSS score 8.8): An Open Source Curl RCE vulnerability. When libcurl processes a UTF-8 string, an error in parsing can lead to memory corruption, potentially overwriting nearby stack memory. While a crash is the most likely outcome, more severe consequences could occur under specific conditions.
• CVE-2024-20659 (CVSS score 7.1 out of 10): A Windows Hyper-V security feature bypass vulnerability. On certain hardware, an attacker might bypass the Unified Extensible Firmware Interface (UEFI), leading to the potential compromise of the hypervisor and secure kernel. Exploitation requires a user to reboot their machine, making this a more targeted attack.
• CVE-2024-43583 (CVSS score 7.8 out of 10): A Winlogon Elevation of Privilege (EoP) vulnerability. Successful exploitation could grant SYSTEM privileges. Administrators need to ensure that a Microsoft first-party Input Method Editor (IME) is enabled to mitigate this vulnerability, as IMEs facilitate text input in languages not easily supported by standard keyboards.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are a few major ones that you may find in your environment.

Adobe released security updates for several products:

•  Adobe Substance 3D Printer
•  Adobe Commerce and Magento Open Source
•  Adobe Dimension
•  Adobe Animate
• Adobe Lightroom
• Adobe InCopy
• Adobe InDesign
• Adobe Substance 3D Stager
•  Adobe FrameMaker

Android saw several high severity patches in the October security bulletin.

Ivanti released security updates for three zero-days chained in active attacks.

Qualcomm fixed an actively exploited vulnerability in its October 2024 Security Bulletin.