Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572)
For October 2024 Patch Tuesday, Microsoft has released fixes for 117 security vulnerabilities, including two under active exploitation: CVE-2024-43573, a spoofing bug affecting the Windows MSHTML Platform, and CVE-2024-43572, a remote code execution flaw in the Microsoft Management Console (MMC).
About CVE-2024-43573 and CVE-2024-43572
As far as it can be deduced from the accompanying advisory, CVE-2024-43573 is similar to CVE-2024-38112, a vulnerability in MSHTML, a browser engine for the now deprecated Internet Explorer, which has been expoited as a zero-day by the Void Banshee APT and patched by Microsoft in July 2024.
It was later revealed that Void Banshee used a second Windows MSHTML flaw in those same attacks.
“There’s no word from Microsoft on whether it’s the same group, but considering there is no acknowledgment here, it makes me think the original patch was insufficient,” says Dustin Childs, head of threat awareness at Trend Micro Inc.’s Zero Day Initiative, who advises testing and deploy the update for CVE-2024-43573 quickly.
According to Satnam Narang, senior staff research engineer at Tenable, CVE-2024-43573 highlights a valuable attack path being currently leveraged by threat actors. “User interaction is required to exploit all of these MSHTML flaws, which typically utilizes some type of social engineering.”
CVE-2024-43572 – the RCE flaw in the Microsoft Management Console – can be triggered by a user loading a malicious MMC snap-in file.
“Microsoft doesn’t say how widespread these attacks are, but considering the amount of social engineering required to exploit this bug, I would think attacks would be limited at this point,” Childs pointed out. Implementing the security update provided by Microsoft will prevent untrusted Microsoft Saved Console (MSC) files from being opened.
“While we don’t have any specific details about the in-the-wild exploitation of CVE-2024-43572, this patch arrived a few months after researchers disclosed an attack technique called GrimResource that leveraged an old cross-site scripting (XSS) vulnerability combined with a specially crafted MSC file to gain code execution privileges,” Narang told Help Net Security.
Other vulnerabilities of note
Microsoft has also released patches for three publicly known (but not actively exploited) vulnerabilities in curl, Windows Hyper-V, and WinLogon, of which the last one is more likely to be exploited (for gaining SYSTEM privileges on compromised systems).
Childs has also singled out two vulnerabilities that can be triggered remotely by sending a specially crafted request or a malformed packet: the former is CVE-2024-43468, a flaw in Microsoft Configuration Manager, and the latter CVE-2024-43582, in Remote Desktop Protocol (RDP) Server. Both could allow remote code execution.
CVE-2024-43488, a critical RCE in the Visual Studio Code extension for Arduino, will not be fixed as the extension has been deprecated.
“Microsoft recommends that customers use Arduino IDE software,” the company says. But Will Bradle, a security consultant at NetSPI, told Help Net Security that although the vulnerable extension is no longer available on the VS Code Marketplace, it can still be installed via GitHub, and existing installations remain vulnerable to unauthenticated RCE.