Virtual Administrator’s October Patch Recommendations
This month Microsoft released patches for 117 vulnerabilities with 3 rated “Critical” in severity.
All new patches will be approved in our patch policy.
October is National Cybersecurity Awareness Month and to celebrate Microsoft has released 117 fixes! Two (CVE-2024-43572, CVE-2024-43573) are zero-day exploits. CVE-2024-43573 leverages a weakness in MSHTML. CVE-2024-43572 is a code execution bug in the Microsoft Management Console. Three other concerns are publicly disclosed bugs – CVE-2024-6197 is an RCE issue in Open Source Curl, CVE-2024-20659 is a security feature bypass issue in Windows Hyper-V and CVE-2024-43583 is an elevation of privilege vulnerability in Winlogon. Make sure to read “Heads Up” below if your Kaseya agents do not appear to be returning accurate patch scans. Some new stand-alone SSUs for Windows Server 2012/2012R2. Windows 11 24H2 was officially released on October 1st.
Disclosed: CVE-2024-6197, CVE-2024-20659, CVE-2024-43572, CVE-2024-43573, CVE-2024-43583
Exploited: CVE-2024-43572, CVE-2024-43573
Security Update Guide
https://msrc.microsoft.com/update-guide/en-us
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:10/08/2024)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
Heads Up! Windows 11 Patch Scans may be failing to return data on agents with the June Preview (or July CU) installed.
The June Preview patch KB5039302 broke the Windows Update Agent API (WUA) on some agents preventing Kaseya patch scans from returning scan results. The July Cumulative Update(CU) KB5040442 also has this listed as a Known Issue. We deny Preview patches and have not seen any widespread patch scan problems. We believe the July CU itself did not break the WUA API but it didn’t fix the API if the Preview was already installed.
June 25, 2024—KB5039302 (OS Builds 22621.3810 and 22631.3810) Preview
Symptom: The agent will show KB5039302 or KB5040442 installed but missing patches.
Resolution: To fix this you need to install the August CU (KB5041585) manually. There is an agent procedure for this on ClubMSP – “Procedure Patch Install Procedure” or you can use “Agent Procedures>Patch Deploy”. Please open a support ticket (help@virtualadministrator.com) if you need assistance. The Microsoft Update Catalog is here: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5041585
Finding affected agents: Create a custom View with Windows 11 as the OS and “Machines with installed patch” KB5039302 or KB5040442. With that View look for agents that show fully patched. When Kaseya installs a patch it confirms the successful installation outside of the WUA API. Because the new patch scans don’t fail but return no new data the agent will appear fully patch – nothing missing. Each month’s CU replaces the last so an agent that is patching correctly will not show older CUs as Installed or Missing. The record is replaced by the last successful CU.
FYI Windows 11 24H2 general availability October 1, 2024
What’s new in Windows 11, version 24H2
https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-11-version-24h2
Windows 11 release information
https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information
Known Issues
Microsoft is reporting no new known issues this month but there were issues with the Windows 11 September Preview patch KB5043145. They were resolved with the October CU KB5044285. Also there are a number of exisiting issues reported with the recently released Windows 11 24H2.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Windows 11 September Preview patch KB5043145 causes restarts or blue screens.
Affects: Windows 22H2/22H2
Symptom: After installing this update, some customers have reported that their device restarts multiple times or becomes unresponsive with blue or green screens. According to the reports, some devices automatically open the Automatic Repair tool after repeated restart attempts. In some cases, BitLocker recovery can also be triggered.
Workaround: This issue is addressed in KB5044285.
Windows 11, version 24H2 known issues and notifications
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24H2
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5044343 – Windows Server 2012 R2 (ESU)
- KB5044342 – Windows Server 2012 (ESU)
Cumulative Updates
Windows 10
- KB5044286 – Original release version 1507 (OS Build 10240)
- KB5044293 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5044277 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5044273 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5044273 – Version 22H2 “November 2022 Update” (OS Build 19045)
- (Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5044280 – 21H2 (OS Build 22000) Original release
- KB5044285 – 22H2 (OS Build 22621)
- KB5044285 – 23H2 (OS Build 22631)
- KB5044284 – 24H2 (OS Build 26100)
Windows Server
- KB5044293 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5044277 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5044281 – Server 2022 (OS Build 20348)
- KB5044288 – Server 23H2 (OS Build 25398)
Internet Explorer
- KB5044272 – Cumulative security update for Internet Explorer
October 2024 updates for Microsoft Office
Notable CVEs
CVE-2024-6197 | Open Source Curl Remote Code Execution Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-6197
This attack requires a client to connect to a malicious server, and that could allow the attacker to gain code execution on the client. While the upstream advisory applies to curl, the command line tool, and libcurl as embedded in all manner of software, Windows does not ship libcurl but only ships the curl command line. This vulnerability requires user interaction to select the server and to communicate with it.
CVE-2024-20659 | Windows Hyper-V Security Feature Bypass Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-20659
Successful exploitation of this vulnerability by an attacker requires a user to first reboot their machine. This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel.
CVE-2024-43468 | Microsoft Configuration Manager Remote Code Execution Vulnerability (KB29166583)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43468
An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database. Customers using a version of Configuration Manager specified in the Security Updates table of this CVE need to install an in-console update to be protected.
CVE-2024-43572 | Microsoft Management Console Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43572
The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.
CVE-2024-43503 | Microsoft SharePoint Elevation of Privilege Vulnerability (KB5002645, KB5002647, KB5002649 )
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43503
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2024-43573 | Windows MSHTML Platform Spoofing Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43573
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE-2024-43582 | Remote Desktop Protocol Server Remote Code Execution Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43582
To exploit this vulnerability, an unauthenticated attacker would need to send malformed packets to a RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. Successful exploitation of this vulnerability requires an attacker to win a race condition.
CVE-2024-43583 | Winlogon Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43583
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Yes. To address this vulnerability, ensure that a Microsoft first-party IME is enabled on your device. By doing so, you can help protect your device from potential vulnerabilities associated with a third-party (3P) IME during the sign in process.