Edit (09th Oct, 2024): The total number of vulnerabilities fixed in this Patch Tuesday is 117.
Welcome to the Patch Tuesday update for October 2024, which lists fixes for 117 vulnerabilities. This month, there are five zero-day vulnerabilities, of which two are being actively exploited, while all five have been publicly disclosed.
After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.
Why is Patch Tuesday important?
Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
October 2024 Patch Tuesday
Security updates lineup
Here is a breakdown of the vulnerabilities fixed this month:
CVE IDs: 117
Republished CVE IDs: 4 (more details on this below)
Security updates were released for the following products, features, and roles:
-
Role: Windows Hyper-V
-
Windows Hyper-V
-
Windows EFI Partition
-
Windows Kernel
-
OpenSSH for Windows
-
Azure Monitor
-
Windows Netlogon
-
Windows Kerberos
-
BranchCache
-
Azure Stack
-
Windows Routing and Remote Access Service (RRAS)
-
.NET and Visual Studio
-
Windows Remote Desktop Licensing Service
-
Windows Remote Desktop Services
-
Microsoft Configuration Manager
-
Service Fabric
-
Power BI
-
.NET, .NET Framework, Visual Studio
-
Visual Studio Code
-
DeepSpeed
-
Windows Resilient File System (ReFS)
-
Windows Common Log File System Driver
-
Microsoft Office SharePoint
-
Microsoft Office Excel
-
Microsoft Office Visio
-
Microsoft Graphics Component
-
Windows Standards-Based Storage Management Service
-
Windows BitLocker
-
Windows NTFS
-
Internet Small Computer Systems Interface (iSCSI)
-
Windows Secure Kernel Mode
-
Microsoft ActiveX
-
Windows Telephony Server
-
Microsoft WDAC OLE DB provider for SQL
-
Windows Local Security Authority (LSA)
-
Windows Mobile Broadband
-
Windows Print Spooler Components
-
RPC Endpoint Mapper Service
-
Remote Desktop Client
-
Windows Kernel-Mode Drivers
-
Microsoft Simple Certificate Enrollment Protocol
-
Windows Online Certificate Status Protocol (OCSP)
-
Windows Cryptographic Services
-
Windows Secure Channel
-
Windows Storage
-
Windows Shell
-
Windows NT OS Kernel
-
Windows Storage Port Driver
-
Windows Network Address Translation (NAT)
-
Windows Ancillary Function Driver for WinSock
-
Sudo for Windows
-
Microsoft Management Console
-
Windows MSHTML Platform
-
Microsoft Windows Speech
-
Microsoft Office
-
Windows Remote Desktop
-
Winlogon
-
Windows Scripting
-
Code Integrity Guard
-
Visual C++ Redistributable Installer
-
Azure CLI
-
Visual Studio
-
Outlook for Android
-
Microsoft Defender for Endpoint
Learn more in the MSRC’s release notes.
Details of the zero-day vulnerabilities
Vulnerable component: Microsoft Management Console
Impact: Remote code execution
CVSS 3.1: 7.8
The score of this vulnerability indicates that it can be exploited locally and requires user intervention. This implies that the attack can be carried out by social engineering attacks and the threat actor can exploit it remotely as well.
Microsoft states, “The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability.”
This vulnerability has been publicly disclosed and is being actively exploited.
Vulnerable component: Windows MSHTML Platform
Impact: Spoofing
CVSS 3.1: 6.5
As per Microsoft, while Internet Explorer 11 and the old version of Edge have been phased out, certain underlying technologies like MSHTML and EdgeHTML are still used by older applications, including Internet Explorer mode in the new Microsoft Edge. These technologies are crucial for running legacy apps, and they require ongoing updates to stay secure.
For users of Windows Server 2008, 2008 R2, and 2012, specific updates related to newer platforms may not apply. However, Microsoft recommends users who install the Security Only updates to install the IE Cumulative updates for this vulnerability.
This vulnerability has been publicly disclosed and is being actively exploited.
Vulnerable component: Windows Hyper-V
Impact: Security feature bypass
CVSS 3.1: 7.1
For this vulnerability to be exploited successfully, the attacker first needs to gain access to the restricted network and then make the user boot their system.
The MSRC states, “This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel.”
This vulnerability has been publicly disclosed.
Vulnerable component: Winlogon (Windows Logon)
Impact: Elevation of privilege
CVSS 3.1: 7.8
Microsoft states, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” It is recommended to enable a Microsoft third-party IME on the devices to address this vulnerability. Learn how to enable a Microsoft third-party IME.
This vulnerability has been publicly disclosed.
Vulnerable component: Open Source Curl
Impact: Remote code execution
CVSS 3.1: 8.8
Microsoft states that this attack requires a client to connect to a malicious server, which could allow the attacker to gain code execution privileges on the client. To learn more about the vulnerability, you can refer to the official advisory by Curl.
This vulnerability has been publicly disclosed.
Third-party updates released after last month’s Patch Tuesday
Some third-party vendors such as Fortinet, Cisco, Qualcomm, and Ivanti have also released updates this October.
Republished CVE IDs
Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished four CVE IDs. These are as follows:
Best practices to handle patch management in a hybrid work environment
Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.
Here are a few pointers to simplify the process of remote patching:
- Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
- Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
- Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
- Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
- Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
- Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
- Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
- Run patch reports to get a detailed view of the health status of your endpoints.
For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.
With Endpoint Central, Patch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.
Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.
Ready, get set, patch!
