Network Security, Vulnerability Management, Patch/Configuration Management

Three critical flaws highlight Patch Tuesday in October

Microsoft is a multinational technology company, known for its software products

Microsoft kicked out a whopping 117 patches this week in its monthly patch update.

The good news is that among the dozens of updates that are set to be delivered from Redmond, only a handful are actually considered critical risks and none are under zero day attack.

That said, five of the known less-severe flaws are being actively attacked and administrators would be well-advised to test and deploy the updates as soon as possible.

“Of the patches being released today, three are rated Critical, 115 are rated Important, and two are rated Moderate in severity,” explained Dustin Childs of the Trend Mirco Zero Day Initiative.

“This is the third triple-digit CVE release from Microsoft this year, putting the Redmond giant on pace to exceed the number of CVEs fixed in 2023.”

The two most severe flaws are CVE-2024-43572 and CVE-2024-453573, a pair of remote code and platform spoofing flaws. Because both require local access they are not considered critical priorities.

However, the fact that the each are under active exploit should make them issues that administrators need to fix as soon as quickly as possible.

“While this does sound unlikely, it’s clearly happening. Microsoft doesn’t say how widespread these attacks are, but considering the amount of social engineering required to exploit this bug,” Childs said of CVE-2024-43572.

“I would think attacks would be limited at this point. Still considering the damage that could be caused by an admin loading a malicious snap-in, I would test and deploy this update quickly.”

The remaining flaws largely concern bugs in Office, .NET, and the Windows kernel. They require local access to exploit (meaning you are already pwned if the attack can take place) but should still be addresses as soon as possible in the sake of good infosec hygiene.

Not to be outdone, Adobe also used the second Tuesday to drop its own patches. The image-bending masters reared back and left a patchload of fixes for Adobe Substance 3D Painter, Commerce, Dimension, Animate, Lightroom, InCopy, InDesign, Substance 3D Stager, and Adobe FrameMaker.

While the Adobe update spans the scape of a dozen products, admins can rest easy that none of the flaws are under active exploit. Best practices call for administrators to test and deploy the fixes

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds