October Patch Tuesday harvest hauls in 117 CVEs

Microsoft on Tuesday released 117 patches touching 15 product families. Three of the addressed issues, affecting Configuration Manager, Visual Studio, and Windows, are considered by Microsoft to be of Critical severity. At release time, two of the issues addressed are known to be under exploit in the wild, with eight additional CVEs more likely to be exploited in the next 30 days by the company’s estimation. Three of this month’s issues are amenable to detection by Sophos protections, and we include information on those in a table below.

In addition to these patches, the release includes advisory information on four Edge-related CVEs and one related to curl (affecting CBL Mariner and Windows), along with the usual servicing stack updates. We are as always including at the end of this post additional appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the numbers

• Total CVEs: 117
• Publicly disclosed: 4
• Exploited detected: 2
• Severity
  • Critical: 3
  • Important: 110
  • Moderate: 3
  • Low: 1
• Impact
  • Remote Code Execution: 42
  • Elevation of Privilege: 28
  • Denial of Service: 26
  • Security Feature Bypass: 7
  • Spoofing: 7
  • Information Disclosure: 6
  • Tampering: 1
• CVSS base score 9.0 or greater: 2
• CVSS base score 8.0 or greater: 25

Figure 1: Denial of service issues make a remarkable showing in this month’s patch collection thanks in part to a large number of Windows Mobile broadband-driver patches; more on that in a moment

Products

• Windows: 93
• Visual Studio: 8
• 365 Apps: 5
• Office: 5
• .NET: 4
• Azure: 4
• .NET Framework: 2
• Excel: 2
• Power BI: 2
• Configuration Manager: 1
• DeepSpeed: 1
• Defender for Endpoint for Linux: 1
• Outlook for Android: 1
• SharePoint: 1
• Visual C++: 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect.

Figure 2: A few rarely seen product families make an appearance in this month’s chart, but Windows rules the roost

Notable October updates

In addition to the issues discussed above, a number of specific items merit attention.

CVE-2024-38124 – Windows Netlogon Elevation of Privilege Vulnerability
CVE-2024-43468 — Microsoft Configuration Manager Remote Code Execution Vulnerability

Both of this month’s CVEs with CVSS base scores of 9.0 or above come with mitigation advice. The Config Manager issue (CVE-2024-43468), the more severe of the two with a 9.8 CVSS, also has special instructions. For the Netlogon issue (CVE-2024-38124), the following mitigations are offered (text courtesy of Microsoft):

• Predictable Naming Conventions: Avoid using predictable naming conventions for domain controllers to prevent attackers from renaming their machines to match the next name to be assigned to a new domain controller.
• Secure Channel Validation: Ensure that the secure channel is validated against more than just the computer name of the machine it was delivered to. This can help prevent attackers from impersonating the domain controller by obtaining the handle and waiting for the appointment to happen.
• Monitor for Renaming Activities: Implement monitoring for any suspicious renaming activities of computers within the network. This can help with early detection and prevention of potential attacks.
• Enhanced Authentication Mechanisms: Consider using enhanced authentication mechanisms that go beyond the current validation methods to ensure the authenticity of the domain controller and the secure channel.

As for the Configuration Manager issue, there are extra steps required (text, again, courtesy of Microsoft):

Customers using a version of Configuration Manager specified in the Security Updates table of this CVE need to install an in-console update to be protected. Guidance for how to install Configuration Manager in-console updates is available here: Install in-console updates for Configuration Manager.

The mitigation guidance for the Configuration Manager issue also recommends that administrators specify an alternate service account, rather than the Computer account; more information is available here.

[15 CVEs] – Windows Mobile Broadband Driver DoS and RCE issues

None of these issues are as concerning as the Critical-severity CVE-2024-38161 mobile broadband driver issue patched back in July, but the sheer volume is remarkable, as is the fact that all of these require physical access (to plug in a USB drive) or proximity (sufficient for radio transmission).

CVE-2024-43485 — .NET and Visual Studio Denial of Service Vulnerability

This Important-severity Denial of Service issue casts its .net rather widely, affecting the platform not only on Windows but on Linux and macOS.

CVE-2024-43497 — DeepSpeed Remote Code Execution Vulnerability

It’s not common for a Low-severity issue to be named in the Patch Tuesday release, but this one’s interesting for another reason – it affects DeepSpeed, Microsoft’s speed-and-scale optimization booster for deep-learning training. (We believe this to be the first-ever Patch Tuesday bug affecting DeepSpeed, as well as the first Microsoft find credited to an AI-specific bug-bounty program.)

CVE-2024-43527 — Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-43571 — Sudo for Windows Spoofing Vulnerability

These two patches are less notable for what they are (though some observers may be startled to see talk of sudo in a Patch Tuesday post) than for what version of Windows they affect.  Both of these Important-severity patches affect only Windows 11 24H2, the OS version entering general release this week.

CVE-2024-43573 — Windows MSHTML Platform Spoofing Vulnerability

One of the two vulnerabilities known to be under active exploit in the wild, this Moderate-severity Spoofing issue gets into the Halloween spirit by invoking the ghost of Internet Explorer. Customers who receive Security Only updates are encouraged to apply the IE Cumulative updates to exorcise this vulnerability.

Figure 3: As we enter the last quarter of the year, Denial of Service issues are catapulted into third place on the leaderboard, while the DeepSpeed bug puts a Low-severity patch on the board for the first time in 2024

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of October patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Remote Code Execution (42 CVEs)

Elevation of Privilege (28 CVEs)

Denial of Service (26 CVEs)

Security Feature Bypass (7 CVEs)

Spoofing (7 CVEs)

Information Disclosure (6 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability

This is a list of the October CVEs judged by Microsoft to be either under exploitation in the wild or more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

Appendix C: Products Affected

This is a list of October’s patches sorted by product family, then sub-sorted by severity. Each list is further listed by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.

Windows (93 CVEs)

Visual Studio (8 CVEs)

365 Apps (5 CVEs)

* Despite the name, the information for this CVE does not list any Visio-specific applicability

Office (5 CVEs)

* Despite the name, the information for this CVE does not list any Visio-specific applicability

.NET (4 CVEs)

Azure (4 CVEs)

.NET Framework (2 CVEs)

Excel (2 CVEs)

Power BI (2 CVEs)

Configuration Manager (1 CVE)

DeepSpeed (1 CVE)

Defender for Endpoint for Linux (1 CVE)

Outlook for Android (1 CVE)

SharePoint (1 CVE)

Visual C++ (1 CVE)

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the October release.