The drama of Patch Tuesday often revolves around zero days, which in October’s haul of 117 vulnerabilities brings patch managers a total of five that have been publicly disclosed.
Of those, Microsoft said that two are being actively exploited. The first is CVE-2024-43573, intriguingly a spoofing flaw in the Windows MSHTML component.
If this doesn’t ring any bells, MSHTML is the old Internet Explorer html, CSS and JavaScript rendering engine maintained within Windows to allow backwards compatibility with the long tail of websites still optimized for IE and legacy versions of the pre-Chromium Edge browser.
The last version of IE, version 11, vanished for good from desktops more than two years ago and yet here we have a forgotten fragment that continues to cause trouble.
As Microsoft puts it in the advisory: “While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported.”
Although rated as “moderate” severity with a common vulnerability scoring system (CVSS) of 6.5, CVE-2024-43573 is publicly disclosed and therefore a threat to Windows users as well as Microsoft 365 and Microsoft Office.
Microsoft offers little detail on the flaw but its “spoofing” is interesting. That suggests this is yet another example of attackers finding a way to hide a malicious file behind an innocent-looking file extension the user is tricked into clicking.
It’s also, notably, the fourth time MSHTML has been exploited in a handful of months, with previous examples being CVE-2024-30040, CVE-2024-38112, and CVE-2024-43461.
“Exploitation detected”
The second exploited zero day, CVE-2024-43572, is arguably the most serious. Rated as “important” and with a CVSS score of 7.8, this is a remote code exploit (RCE) vulnerability in Microsoft Management Console (MMC). Exploiting this flaw would involve tricking a user into opening a malicious Microsoft saved console (MSC) file.
This is the second such significant vulnerability in MMC in consecutive months, following September’s CVE-2024-38259. Microsoft’s solution for October’s update: stop users from opening untrusted MSC files:
“The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability.”
Remaining zero days
The other three zero days Microsoft doesn’t believe are being exploited are CVE-2024-6197, CVE-2024-20659, and CVE-2024-43583. Of those, CVE-2024-6197 and CVE-2024-43583 are probably the two to watch, the first and RCE in the non-Microsoft but widely installed Curl command line tool, the second an elevation of privileges flaw that could give an attacker could use to gain system privileges.
The final, CVE-2024-6197, is a curious issue that might allow an attacker to target a VM hypervisor.
“On some specific hardware it might be possible to bypass the UEFI [firmware], which could lead to the compromise of the hypervisor and the secure kernel,” said Microsoft.
If a zero day isn’t being exploited, does it really count? What matters to Microsoft — and to system admins — is that it’s been disclosed before a patch is available. That public status significantly raises the risk of a future exploit appearing should cybercriminals work out how to exploit it.
Big numbers
The other way to judge the severity of a vulnerability is to look at its CVSS score. On that score, several other flaws stand out, principally CVE-2024-43468, an RCE in Microsoft Configuration Manager with a “critical” rated CVSS score of 9.8, and CVE-2024-43488, an issue in the Arduino extension for Visual Studio which Microsoft has already mitigated.
However, one that every security manager will jump on is CVE-2024-43582, a critical RCE vulnerability with an 8.1 CVSS score in Remote Desktop Protocol (RDP) server, an interface ransomware attackers in particular love to target.
In total, eight vulnerabilities were tagged “exploitation more likely,” Microsoft’s way of signalling that an exploit is likely within weeks. As ever, getting ahead of these is about applying this week’s patches and mitigations.