Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 “Sequoia” update that broke many cybersecurity tools.
One of the zero-day flaws — CVE-2024-43573 — stems from a security weakness in MSHTML, the proprietary engine of Microsoft’s Internet Explorer web browser. If that sounds familiar it’s because this is the fourth MSHTML vulnerability found to be exploited in the wild so far in 2024.
Nikolas Cemerikic, a cybersecurity engineer at Immersive Labs, said the vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate thanks to the way Windows handles certain web elements.
“Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services,” he said.
Cemerikic noted that while Internet Explorer is being retired on many platforms, its underlying MSHTML technology remains active and vulnerable.
“This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online,” he said.
Probably the more serious zero-day this month is CVE-2024-43572, a code execution bug in the Microsoft Management Console, a component of Windows that gives system administrators a way to configure and monitor the system.
Satnam Narang, senior staff research engineer at Tenable, observed that the patch for CVE-2024-43572 arrived a few months after researchers at Elastic Security Labs disclosed an attack technique called GrimResource that leveraged an old cross-site scripting (XSS) vulnerability combined with a specially crafted Microsoft Saved Console (MSC) file to gain code execution privileges.
“Although Microsoft patched a different MMC vulnerability in September (CVE-2024-38259) that was neither exploited in the wild nor publicly disclosed,” Narang said. “Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system.”
Microsoft also patched Office, Azure, .NET, OpenSSH for Windows; Power BI; Windows Hyper-V; Windows Mobile Broadband, and Visual Studio. As usual, the SANS Internet Storm Center has a list of all Microsoft patches released today, indexed by severity and exploitability.
Late last month, Apple rolled out macOS 15, an operating system update called Sequoia that broke the functionality of security tools made by a number of vendors, including CrowdStrike, SentinelOne and Microsoft. On Oct. 7, Apple pushed an update to Sequoia users that addresses these compatibility issues.
Finally, Adobe has released security updates to plug a total of 52 vulnerabilities in a range of software, including Adobe Substance 3D Painter, Commerce, Dimension, Animate, Lightroom, InCopy, InDesign, Substance 3D Stager, and Adobe FrameMaker.
Please consider backing up important data before applying any updates. Zero-days aside, there’s generally little harm in waiting a few days to apply any pending patches, because not infrequently a security update introduces stability or compatibility issues. AskWoody.com usually has the skinny on any problematic patches.
And as always, if you run into any glitches after installing patches, leave a note in the comments; chances are someone else is stuck with the same issue and may have even found a solution.
“. . . stems from a security weakness in MSHTML, the proprietary engine of Microsoft’s Internet Explorer web browser.”
Once again Microsoft’s irrational obsession with backwards compatibility bites them in the hind end. I just don’t understand it. How long has it been since Microsoft announced they were deprecating and removing MS Internet Explorer and yet bits and pieces of it, MSHTML (aka Trident), are still plaguing Windows users to this day. It’s time for Microsoft to put it’s foot down and finally announce a hard date on which all remaining elements of MS Internet Explorer will be completely removed from Windows and if any businesses or organizations still utilize programs/apps that break then so sad, too bad. They’ve had plenty of time to upgrade their systems to use MSEdge or any other modern browser available and if they’re too lazy or cheap to do so then there you go and here we are.
So Microsoft, please stop pandering to these corporations, governments that simply refuse to upgrade their systems to modern standards and do the right thing at this point. Set a firm date to remove all remaining elements of MS Internet Explorer from all supported versions of Windows and then stick to that date. And then when that date arrives just pull the trigger and remove it all. Users will be better off if you do so. You will be better off. So just do it.
From the way I read this issue, it only affects people “with older systems” using IE.
So if you William are just a home user you should not be affected by MS keeping old stuff running for corporations.
In the corporate world, getting obsolete systems enhanced to newer software can be a monumental task. Many home users are not aware of the effort and costs involved.
“From the way I read this issue, it only affects people “with older systems” using IE. So if you William are just a home user you should not be affected by MS keeping old stuff running for corporations.”
Funny then I can actually set MSEdge to open any web pages on the internet I so choose with Trident (aka MSHTML) on my fully up to date Windows 11 (24H2) system. Go to Settings–>Default Browser–>Internet Explorer compatibility–>Allow site to be reloaded in Internet Explorer mode (IE mode) and make the appropriate change. It will put a little IE icon in the upper right hand corner of MSEdge that you click to open the current web page in MS Internet Explorer (Trident). And that will expose you to any vulnerabilities/exploits that may be out there on the internet targeting MSIE/Trident. Mind you, don’t know why anyone would want to do that but Microsoft still gives people the option to access MS Internet Explorer when it is no longer necessary.
“In the corporate world, getting obsolete systems enhanced to newer software can be a monumental task. Many home users are not aware of the effort and costs involved.
If corporations still have systems/intranet whatever that depends on an outdated and deprecated web browser (MS Internet Explorer) at this point in time then “effort and costs” are not involved. What is involved is sheer laziness in getting their corporate systems upgraded to modern standards. And really, why should they, Microsoft keeps pandering to them and apparently will never completely pull the plug on MS Internet Explorer. There is no incentive for big business to do so. That’s why I said Microsoft needs to set a firm date for the complete removal of all remaining elements of MS Internet Explorer from Windows and let the chips fall where they may with these big corporations. If they refuse to upgrade then that’s on them. Not on Microsoft.
10-4 on this. General Dynamics and other major Government “contractors” are willing to pay for legacy support on Window$ (dead to us…?) platforms such as Internet Exploder 7, et.al. REALLY?!…..Grow a pair M$……sheesh…..DON’T MAKE ME DRIVE OVER THERE IN MY EDSEL and wait for your “bell hop” to valet park …..cretin$…..
lol
we can tell you’ve never had a real job (at least in IT)
lol.
What the heck does that comment have to do with anything. Nothing as far as I can tell.
FIS still pushing ChexSystems access requiring bending over backwards to use IE. In 2024…
Yes, I’m hoping Brian will follow up and shame them into doing the right thing.
Might want to keep comments on stricter moderation. 4chan still sending trolls your way
It could be wise to implement more stringent moderation for comments. 4chan is still targeting you with its trolls.