In the monthly Patch Tuesday update, Microsoft fixes 117 vulnerabilities in various components. Five of these are previously undiscovered issues (‘zero days’), two of which are being actively exploited by hackers.
The October security update covers several products and services: from the Windows kernel to Office, including ActiveX, Bitlocker and many others. Five weak points are problems called ‘zero days’ in jargon, problems which have not been made public before and for which there was therefore no solution yet.
Microsoft notes that most vulnerabilities are unlikely to be abused. Seven of them received the status ‘more likely’ to be exploited by cybercriminals. Two of them are the subject of active abuse, according to the company. It is more precisely about CVE-2024-43572 (Microsoft Management Console) and CVE-2024-43573 (Windows MSHTML Platform).
Social engineering
In the first case, according to Microsoft, code can be executed remotely, although this deserves to be qualified. These are actions that must be carried out locally, but as this can be done through social engineering where a victim will download a specific file, this counts as ‘remote code execution’. Specifically, this involves unreliable (practically manipulated) Microsoft Saved Console (MSC) files being opened.
In the second case (Windows MSHTML), there is a risk of identity theft (‘spoofing’). Some inputs when generating a web page are incorrectly neutralized. What is unique is that it is an underlying component of Internet Explorer 11 and the Edge Legacy application. Two applications which have certainly not been supported for some time now, but whose underlying parts are still used, which means that they are finally still supported.
