Microsoft has released security updates to fix at least 117 security holes in Windows computers and other software, addressing two zero-day vulnerabilities that are already being actively exploited. This is not an isolated incident, as Adobe has plugged 52 security holes across its range of products, while Apple has addressed a bug in its new macOS 15 “Sequoia” update.
Zero-Day Flaws: A Growing Concern
One of the most concerning zero-day flaws, CVE-2024-43573, stems from a security weakness in MSHTML, the proprietary engine used by Microsoft’s Internet Explorer web browser. This is not the first time MSHTML has been exploited; in 2024 alone, there have been three identified instances of this vulnerability being used in the wild.
Nikolas Cemerikic, a cybersecurity engineer at Immersive Labs, explains that the vulnerability allows attackers to trick users into viewing malicious web content, which can appear legitimate due to Windows’ handling of certain web elements. “Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services,” Cemerikic noted.
Risk to Legacy Systems
Although Internet Explorer is being retired on many platforms, its underlying MSHTML technology remains active and vulnerable. This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online.
The more serious zero-day this month is CVE-2024-43572, a code execution bug in the Microsoft Management Console (MMC), a component of Windows that enables system administrators to configure and monitor the system. Satnam Narang, senior staff research engineer at Tenable, observes that the patch for CVE-2024-43572 arrived after researchers at Elastic Security Labs disclosed an attack technique called GrimResource, which leveraged an old cross-site scripting (XSS) vulnerability combined with a specially crafted Microsoft Saved Console (MSC) file to gain code execution privileges.
Microsoft’s Patch Cycle
In addition to addressing these zero-day vulnerabilities, Microsoft has also patched Office, Azure, .NET, OpenSSH for Windows, Power BI, Windows Hyper-V, Windows Mobile Broadband, and Visual Studio. The SANS Internet Storm Center provides a comprehensive list of all Microsoft patches released today, indexed by severity and exploitability.
The Importance of Backup
As with any major update, it’s essential to consider backing up important data before applying the patches. While zero-days can be a significant concern, there’s generally little harm in waiting a few days to apply any pending patches, as security updates often introduce stability or compatibility issues. If you encounter any glitches after installing patches, please leave a note in the comments; chances are someone else is stuck with the same issue and may have even found a solution.
A Word of Caution
As with any update cycle, it’s essential to stay informed about potential issues. AskWoody.com often provides detailed information on problematic patches, while vendors like CrowdStrike, SentinelOne, and Microsoft work tirelessly to address compatibility concerns. By staying vigilant and keeping your systems up-to-date, you can minimize the risk of falling victim to these security vulnerabilities.
