Multiple Critical Vulnerabilities in Microsoft Products

Release Date: 09-10-2024 16:06:57

Multiple Critical Vulnerabilities in Microsoft Products

History:

09/10/2024 --- v1.0 -- Initial publication

Summary

On October 8, 2024, Microsoft addressed 118 vulnerabilities in its October 2024 Patch Tuesday update, including five zero-day vulnerabilities. This Patch Tuesday also fixes three critical vulnerabilities [1,2].

Technical Details

We highlight here the zero-day vulnerabilities, but it is highly recommended to deploy Microsoft patches for all 118 vulnerabilities identified.

The vulnerability CVE-2024-43573, with a CVSS score 6.5, could be a bypass of a previous vulnerability that abused MSHTML to spoof file extensions in alerts displayed when opening files [3].

The vulnerability CVE-2024-43572, with a CVSS score 7.8, is a vulnerability that could allow malicious Microsoft Saved Console (MSC) files to perform remote code execution on vulnerable devices.[4].

The vulnerability CVE-2024-6197, with a CVSS score 8.8, is a libcurl remote code execution flaw that could cause commands to be executed when Curl attempts to connect to a malicious server [5].

The vulnerability CVE-2024-20659, with a CVSS score 7.1, is a UEFI bypass that could allow attackers to compromise the hypervisor and kernel [6].

The vulnerability CVE-2024-43583, with a CVSS score 7.1, is an elevation of privileges flaw that could give attackers SYSTEM privileges in Windows [7].