October Patch Tuesday harvest hauls in 117 CVEs – Sophos Information

Microsoft on Tuesday launched 117 patches touching 15 product households. Three of the addressed points, affecting Configuration Supervisor, Visible Studio, and Home windows, are thought-about by Microsoft to be of Crucial severity. At launch time, two of the problems addressed are identified to be beneath exploit within the wild, with eight further CVEs extra more likely to be exploited within the subsequent 30 days by the corporate’s estimation. Three of this month’s points are amenable to detection by Sophos protections, and we embody info on these in a desk beneath.

Along with these patches, the discharge contains advisory info on 4 Edge-related CVEs and one associated to twist (affecting CBL Mariner and Home windows), together with the standard servicing stack updates. We’re as at all times together with on the finish of this put up further appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

By the numbers

• Whole CVEs: 117
• Publicly disclosed: 4
• Exploited detected: 2
• Severity
  • Crucial: 3
  • Necessary: 110
  • Average: 3
  • Low: 1
• Impression
  • Distant Code Execution: 42
  • Elevation of Privilege: 28
  • Denial of Service: 26
  • Safety Characteristic Bypass: 7
  • Spoofing: 7
  • Data Disclosure: 6
  • Tampering: 1
• CVSS base rating 9.0 or better: 2
• CVSS base rating 8.0 or better: 25

Determine 1: Denial of service points make a outstanding exhibiting on this month’s patch assortment thanks partly to a lot of Home windows Cellular broadband-driver patches; extra on that in a second

Merchandise

• Home windows: 93
• Visible Studio: 8
• 365 Apps: 5
• Workplace: 5
• .NET: 4
• Azure: 4
• .NET Framework: 2
• Excel: 2
• Energy BI: 2
• Configuration Supervisor: 1
• DeepSpeed: 1
• Defender for Endpoint for Linux: 1
• Outlook for Android: 1
• SharePoint: 1
• Visible C++: 1

As is our customized for this listing, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on.

Determine 2: Just a few not often seen product households make an look on this month’s chart, however Home windows guidelines the roost

Notable October updates

Along with the problems mentioned above, plenty of particular gadgets benefit consideration.

CVE-2024-38124 – Home windows Netlogon Elevation of Privilege Vulnerability
CVE-2024-43468 — Microsoft Configuration Supervisor Distant Code Execution Vulnerability

Each of this month’s CVEs with CVSS base scores of 9.0 or above include mitigation recommendation. The Config Supervisor subject (CVE-2024-43468), the extra extreme of the 2 with a 9.8 CVSS, additionally has particular directions. For the Netlogon subject (CVE-2024-38124), the next mitigations are supplied (textual content courtesy of Microsoft):

• Predictable Naming Conventions: Keep away from utilizing predictable naming conventions for area controllers to forestall attackers from renaming their machines to match the subsequent title to be assigned to a brand new area controller.
• Safe Channel Validation: Make sure that the safe channel is validated towards extra than simply the pc title of the machine it was delivered to. This will help forestall attackers from impersonating the area controller by acquiring the deal with and ready for the appointment to occur.
• Monitor for Renaming Actions: Implement monitoring for any suspicious renaming actions of computer systems throughout the community. This will help with early detection and prevention of potential assaults.
• Enhanced Authentication Mechanisms: Think about using enhanced authentication mechanisms that transcend the present validation strategies to make sure the authenticity of the area controller and the safe channel.

As for the Configuration Supervisor subject, there are additional steps required (textual content, once more, courtesy of Microsoft):

Clients utilizing a model of Configuration Supervisor specified within the Safety Updates desk of this CVE want to put in an in-console replace to be protected. Steerage for easy methods to set up Configuration Supervisor in-console updates is obtainable right here: Set up in-console updates for Configuration Supervisor.

The mitigation steerage for the Configuration Supervisor subject additionally recommends that directors specify an alternate service account, reasonably than the Laptop account; extra info is obtainable right here.

[15 CVEs] – Home windows Cellular Broadband Driver DoS and RCE points

None of those points are as regarding because the Crucial-severity CVE-2024-38161 cell broadband driver subject patched again in July, however the sheer quantity is outstanding, as is the truth that all of those require bodily entry (to plug in a USB drive) or proximity (enough for radio transmission).

CVE-2024-43485 — .NET and Visible Studio Denial of Service Vulnerability

This Necessary-severity Denial of Service subject casts its .web reasonably extensively, affecting the platform not solely on Home windows however on Linux and macOS.

CVE-2024-43497 — DeepSpeed Distant Code Execution Vulnerability

It’s not widespread for a Low-severity subject to be named within the Patch Tuesday launch, however this one’s attention-grabbing for one more cause – it impacts DeepSpeed, Microsoft’s speed-and-scale optimization booster for deep-learning coaching. (We imagine this to be the first-ever Patch Tuesday bug affecting DeepSpeed, in addition to the primary Microsoft discover credited to an AI-specific bug-bounty program.)

CVE-2024-43527 — Home windows Kernel Elevation of Privilege Vulnerability
CVE-2024-43571 — Sudo for Home windows Spoofing Vulnerability

These two patches are much less notable for what they’re (although some observers could also be startled to see speak of sudo in a Patch Tuesday put up) than for what model of Home windows they have an effect on.  Each of those Necessary-severity patches have an effect on solely Home windows 11 24H2, the OS model getting into common launch this week.

CVE-2024-43573 — Home windows MSHTML Platform Spoofing Vulnerability

One of many two vulnerabilities identified to be beneath energetic exploit within the wild, this Average-severity Spoofing subject will get into the Halloween spirit by invoking the ghost of Web Explorer. Clients who obtain Safety Solely updates are inspired to use the IE Cumulative updates to exorcise this vulnerability.

Determine 3: As we enter the final quarter of the yr, Denial of Service points are catapulted into third place on the leaderboard, whereas the DeepSpeed bug places a Low-severity patch on the board for the primary time in 2024

Sophos protections

As you may each month, if you happen to don’t need to wait to your system to drag down Microsoft’s updates itself, you may obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe instrument to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace package deal to your particular system’s structure and construct quantity.

Appendix A: Vulnerability Impression and Severity

It is a listing of October patches sorted by affect, then sub-sorted by severity. Every listing is additional organized by CVE.

Distant Code Execution (42 CVEs)

Elevation of Privilege (28 CVEs)

Denial of Service (26 CVEs)

Safety Characteristic Bypass (7 CVEs)

Spoofing (7 CVEs)

Data Disclosure (6 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability

It is a listing of the October CVEs judged by Microsoft to be both beneath exploitation within the wild or extra more likely to be exploited within the wild throughout the first 30 days post-release. The listing is organized by CVE.

Appendix C: Merchandise Affected

It is a listing of October’s patches sorted by product household, then sub-sorted by severity. Every listing is additional listed by CVE. Patches which might be shared amongst a number of product households are listed a number of occasions, as soon as for every product household.

Home windows (93 CVEs)

Visible Studio (8 CVEs)

365 Apps (5 CVEs)

* Regardless of the title, the data for this CVE doesn’t listing any Visio-specific applicability

Workplace (5 CVEs)

* Regardless of the title, the data for this CVE doesn’t listing any Visio-specific applicability

.NET (4 CVEs)

Azure (4 CVEs)

.NET Framework (2 CVEs)

Excel (2 CVEs)

Energy BI (2 CVEs)

Configuration Supervisor (1 CVE)

DeepSpeed (1 CVE)

Defender for Endpoint for Linux (1 CVE)

Outlook for Android (1 CVE)

SharePoint (1 CVE)

Visible C++ (1 CVE)

Appendix D: Advisories and Different Merchandise

It is a listing of advisories and knowledge on different related CVEs within the October launch.