Microsoft today released security updates to fix at least 117 security holes Windows computers and other software, including two vulnerabilities that have already seen active attacks. And, Adobe 52 security holes are attached to a variety of products, too an apple talk to the bug in its new macOS 15 “Sequoia” update that broke many cybersecurity tools.
One of the zero-day bugs – CVE-2024-43573 – comes from a security vulnerability MSHTMLMicrosoft’s proprietary engine Internet Explorer web browser. If that sounds familiar, it’s because this is the fourth MSHTML vulnerability found to be exploited in the wild so far in 2024.
Nikolas Cemerikiccybersecurity engineer at Focused Labssaid the vulnerability allows an attacker to trick users into viewing malicious web content, which may appear legitimate due to the way Windows handles certain web content.
“If a user is tricked into interacting with this content (usually through a phishing attack), the attacker can gain unauthorized access to sensitive information or spoof web-based services,” he said.
Cemerikic noted that while Internet Explorer is being retired on many platforms, its underlying MSHTML technology remains active and vulnerable.
“This creates a risk for employees who use these old systems as part of their daily work, especially if they access sensitive data or conduct financial transactions online,” he said.
Perhaps the most serious zero-day this month is CVE-2024-43572, a code execution flaw in the Microsoft Management Console, a component of Windows that gives system administrators a way to configure and monitor the system.
Satnam Narangsenior staff research engineer e It is usablenoted that the patch for CVE-2024-43572 arrived several months after the researchers Elastic Security Labs exposed an attack method called GrimResource that used an old cross-site scripting (XSS) vulnerability combined with a specially crafted Microsoft Saved Console (MSC) file to gain privileges to execute code.
“Although Microsoft included a separate MMC vulnerability in September (CVE-2024-38259) that was not exploited in the wild or publicly disclosed,” Narang said. “Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on the system.”
Microsoft has also been eliminated office, Azure, .NET, OpenSSH for Windows; The power of BI; Windows Hyper-V; Windows Mobile Broadbandagain Visual Studio. As always, i SANS Internet Storm Center has a list of all Microsoft patches released today, ranked by severity and exploit.
Late last month, Apple introduced macOS 15, an operating system update called Sequoia that broke the functionality of security tools made by multiple vendors, including CrowdStrike, SentinelOne and Microsoft. On October 7, Apple pushed an update to Sequoia users that addresses these compatibility issues.
Finally, Adobe released security updates to patch a total of 52 vulnerabilities in the software list, including Adobe Substance 3D Painter, Commercial, Size, Animate, Lightroom, InCopy, InDesign, 3D Stager objectsagain Adobe FrameMaker.
Please consider backing up important data before installing any updates. With the exception of zero days, there is generally little risk in waiting a few days to apply any pending patches, as it is rare for a security update to introduce stability or compatibility issues. AskWoody.com usually has less body in any problem areas.
And as always, if you run into any problems after installing the patches, leave a note in the comments; someone else may be stuck with the same issue and may have found a solution.
Source link