Microsoft on Tuesday released 117 patches touching 15 product families. Three of the addressed issues, affecting Configuration Manager, Visual Studio, and Windows, are considered by Microsoft to be of Critical severity. At release time, two of the issues addressed are known to be under exploit in the wild, with eight additional CVEs more likely to be exploited in the next 30 days by the company's estimation. Three of this month's issues are amenable to detection by Sophos protections, and we include information on those in a table below.
In addition to these patches, the release includes advisory information on four Edge-related CVEs and one related to curl (affecting CBL Mariner and Windows), along with the usual servicing stack updates. We are as always including at the end of this post additional appendices listing all Microsoft's patches, sorted by severity, by predicted exploitability, and by product family.
Figure 1: Denial of service issues make a remarkable showing in this month's patch collection thanks in part to a large number of Windows Mobile broadband-driver patches; more on that in a moment
Products
As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect.
Figure 2: A few rarely seen product families make an appearance in this month's chart, but Windows rules the roost
Notable October updates
In addition to the issues discussed above, a number of specific items merit attention.
CVE-2024-38124 - Windows Netlogon Elevation of Privilege Vulnerability
CVE-2024-43468 -- Microsoft Configuration Manager Remote Code Execution Vulnerability
Both of this month's CVEs with CVSS base scores of 9.0 or above come with mitigation advice. The Config Manager issue (CVE-2024-43468), the more severe of the two with a 9.8 CVSS, also has special instructions. For the Netlogon issue (CVE-2024-38124), the following mitigations are offered (text courtesy of Microsoft):
As for the Configuration Manager issue, there are extra steps required (text, again, courtesy of Microsoft):
Customers using a version of Configuration Manager specified in the Security Updates table of this CVE need to install an in-console update to be protected. Guidance for how to install Configuration Manager in-console updates is available here: Install in-console updates for Configuration Manager.
The mitigation guidance for the Configuration Manager issue also recommends that administrators specify an alternate service account, rather than the Computer account; more information is available here.
[15 CVEs] - Windows Mobile Broadband Driver DoS and RCE issues
None of these issues are as concerning as the Critical-severity CVE-2024-38161 mobile broadband driver issue patched back in July, but the sheer volume is remarkable, as is the fact that all of these require physical access (to plug in a USB drive) or proximity (sufficient for radio transmission).
CVE-2024-43485 -- .NET and Visual Studio Denial of Service Vulnerability
This Important-severity Denial of Service issue casts its .net rather widely, affecting the platform not only on Windows but on Linux and macOS.
CVE-2024-43497 -- DeepSpeed Remote Code Execution Vulnerability
It's not common for a Low-severity issue to be named in the Patch Tuesday release, but this one's interesting for another reason - it affects DeepSpeed, Microsoft's speed-and-scale optimization booster for deep-learning training. (We believe this to be the first-ever Patch Tuesday bug affecting DeepSpeed, as well as the first Microsoft find credited to an AI-specific bug-bounty program.)
CVE-2024-43527 -- Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-43571 -- Sudo for Windows Spoofing Vulnerability
These two patches are less notable for what they are (though some observers may be startled to see talk of sudo in a Patch Tuesday post) than for what version of Windows they affect. Both of these Important-severity patches affect only Windows 11 24H2, the OS version entering general release this week.
CVE-2024-43573 -- Windows MSHTML Platform Spoofing Vulnerability
One of the two vulnerabilities known to be under active exploit in the wild, this Moderate-severity Spoofing issue gets into the Halloween spirit by invoking the ghost of Internet Explorer. Customers who receive Security Only updates are encouraged to apply the IE Cumulative updates to exorcise this vulnerability.
Figure 3: As we enter the last quarter of the year, Denial of Service issues are catapulted into third place on the leaderboard, while the DeepSpeed bug puts a Low-severity patch on the board for the first time in 2024
As you can every month, if you don't want to wait for your system to pull down Microsoft's updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you're running, then download the Cumulative Update package for your specific system's architecture and build number.
Appendix A: Vulnerability Impact and Severity
This is a list of October patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.
This is a list of the October CVEs judged by Microsoft to be either under exploitation in the wild or more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.
This is a list of October's patches sorted by product family, then sub-sorted by severity. Each list is further listed by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.
* Despite the name, the information for this CVE does not list any Visio-specific applicability
Office (5 CVEs)
* Despite the name, the information for this CVE does not list any Visio-specific applicability
This is a list of advisories and information on other relevant CVEs in the October release.