October Patch Tuesday Summary

October is Cybersecurity Awareness Month! What better way to stay cyber-aware than to read up on the latest security updates hitting the market. Microsoft released updates for Windows, Office, .Net and several Azure services resolving a total of 117 new CVEs. There are two Zero-Day Exploits both of which have also been publicly disclosed. In addition, there are three more CVEs that have been publicly disclosed, but no reports of exploitation.

Four additional third-party CVEs were reported as resolved in Microsoft’s release this month. These include three Chromium CVEs resolved in the latest Edge browser update and a CVE in Windows cURL Implementation. In addition, Zoom released an update resolving two vulnerabilities.

Microsoft Summary

Microsoft resolved 117 new CVEs this month, three of which are rated Critical by Microsoft. This month’s lineup has two Zero-Day exploits that have also been publicly disclosed putting them at risk of more widespread exploitation. Both of the zero-day vulnerabilities are resolved by this month’s Windows OS update making that your top priority to reduce risk quickly.

Microsoft zero-day vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Microsoft Management Console (CVE-2024-43572). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8. The vulnerability has been publicly disclosed and there are confirmed exploits of this vulnerability in the wild. The CVE affects all versions of Windows including the newly released Windows 11 24H2. Due to the confirmed exploitation, this vulnerability should be treated as a high priority this month.

Microsoft has resolved a Spoofing vulnerability in MSHTML (CVE-2024-43573). The vulnerability is rated Moderate by Microsoft and has a CVSS v3.1 score of 6.5. The vulnerability has been publicly disclosed and there are confirmed exploits of this vulnerability in the wild. The CVE affects all versions of Windows including the newly released Windows 11 24H2. Due to the confirmed exploitation, this vulnerability should be treated as a high priority this month.

Ivanti Security Advisories

Ivanti has released five security updates for October Patch Tuesday resolving eleven CVEs. Products affected include Ivanti Connect Secure\Policy Secure, Ivanti Avalanche, Ivanti Velocity License Server, Ivanti EPMM, and Ivanti CSA.

Ivanti is aware of a limited number of customers running CSA v4.6 being exploited. Updating to CSA 4.6 519 will address CVE-2024-8963, but Ivanti is guiding customers to upgrade to CSA 5.0.

Details on these releases can be found in Ivanti’s October Security Update blog.

Third-party Security Advisories

Zoom has released an update this month resolving two CVEs affecting Zoom Workplace App, Zoom Rooms App, and Zoom Meeting SDK. Both are information disclosure vulnerabilities and are rated Medium with CVSS Scores of 4.9.

October Priorities

  • Windows OS updates are the highest priority this month. Both zero-day exploits are resolved by the OS update.