Microsoft closes critical security vulnerabilities on October Patch Day

Microsoft fixed a total of 117 vulnerabilities in its products as part of the October Patch Day. Two zero-day security holes are particularly alarming and are already being actively exploited by attackers:

The first of these vulnerabilities affects the Microsoft Management Console (CVE-2024-43572), which allows malicious code to be injected into systems and executed via crafted MSC files (Microsoft Saved Console files).

The second is a cross-site scripting (XSS) vulnerability in the Windows MSHTML platform (CVE-2024-43573). It allows attackers to inject fake content and change display behavior. The vulnerability is rated as medium severity.

In addition to these two vulnerabilities, Microsoft has also fixed other critical security issues, including a code smuggling vulnerability in Microsoft Configuration Manager (CVE-2024-43468) and a privilege escalation vulnerability in Windows Netlogon (CVE-2024-38124). Both vulnerabilities have high CVSS scores (9.8 and 9.0), posing a significant risk to affected systems. Administrators and IT managers should therefore review the updated CVE lists to ensure they have installed all relevant patches on their systems and thus reduce potential security risks.

The October update also brings important improvements to Windows 11 in the new version 24H2 (Build 26100.2033), including the resolution of a bug in the Remote Desktop Gateway service, which stopped responding after being used via RPC over HTTP connections. Microsoft points out that these are the last security updates for Windows 11 21H2 Edu and Enterprise as well as Windows 11 22H2 Home and Pro, and strongly recommends that users switch to Windows 11 24H2 in order to continue to receive security-related updates.