Microsoft kicked out a whopping 117 patches this week in its monthly patch update.
The good news is that among the dozens of updates that are set to be delivered from Redmond, only a handful are actually considered critical risks and none are under zero day attack.
That said, five of the known less-severe flaws are being actively attacked and administrators would be well-advised to test and deploy the updates as soon as possible.
“Of the patches being released today, three are rated Critical, 115 are rated Important, and two are rated Moderate in severity,” explained Dustin Childs of the Trend Mirco Zero Day Initiative.
“This is the third triple-digit CVE release from Microsoft this year, putting the Redmond giant on pace to exceed the number of CVEs fixed in 2023.”
The two most severe flaws are CVE-2024-43572 and CVE-2024-453573, a pair of remote code and platform spoofing flaws. Because both require local access they are not considered critical priorities.
However, the fact that the each are under active exploit should make them issues that administrators need to fix as soon as quickly as possible.
“While this does sound unlikely, it’s clearly happening. Microsoft doesn’t say how widespread these attacks are, but considering the amount of social engineering required to exploit this bug,” Childs said of CVE-2024-43572.
“I would think attacks would be limited at this point. Still considering the damage that could be caused by an admin loading a malicious snap-in, I would test and deploy this update quickly.”
The remaining flaws largely concern bugs in Office, .NET, and the Windows kernel. They require local access to exploit (meaning you are already pwned if the attack can take place) but should still be addresses as soon as possible in the sake of good infosec hygiene.
Not to be outdone, Adobe also used the second Tuesday to drop its own patches. The image-bending masters reared back and left a patchload of fixes for Adobe Substance 3D Painter, Commerce, Dimension, Animate, Lightroom, InCopy, InDesign, Substance 3D Stager, and Adobe FrameMaker.
While the Adobe update spans the scape of a dozen products, admins can rest easy that none of the flaws are under active exploit. Best practices call for administrators to test and deploy the fixes
