Patch Tuesday October 2024: Counting Down to Windows 10 EoS, While Internet Explorer Lives

The long tail of Internet Explorer reappears in this month’s Microsoft Patch Tuesday release as we hit the one year mark for the impending Windows 10 end of support. A multi-month issue with Remote Desktop Gateway services crashing on Windows Servers since July’s security updates has also been addressed this month, so any teams that have put in place deferments to preserve Remote Desktop functionality should be quickly evaluating moving forward in light of this month’s updates to close multiple vulnerabilities.

Microsoft Vulnerabilities

A total of 119 new vulnerabilities were addressed with fixes for October’s Patch Tuesday. Included in those are fixes for five zero-day vulnerabilities that were marked as publicly disclosed—two of which are Under Active Exploitation. Also buried in the release notes is an update for CVE-2024-38095. This was originally announced and addressed with a security update in July 2024, and highlights that sometimes just hitting go on your patch management solution of choice isn’t always enough to secure an environment.

CVE-2024-38095 is a .NET and Visual Studio Denial of Service vulnerability that affected multiple builds of Microsoft Visual Studio 2022, .NET 8.0, and Powershell 7.2 and 7.4. Microsoft added  .NET 6.0 to the list of affected products, but did not and will not provide a fix to address the vulnerability.

From the release notes description: “In the Security Updates table, added .NET 6.0 as it is also affected by this vulnerability. Note that there is no security update for .NET 6.0 to address this vulnerability. HTTP/3 support was only experimental in .NET 6.0, so if you are using .NET 6 you must update your application to .NET 8 to be protected.”

CVE-2024-43573 is a Windows MSHTML Platform spoofing vulnerability that affects Windows systems potentially as far back as Windows 8. Microsoft has listed Windows 10 as well as Windows Server 2012 R2 and forward as being affected by the vulnerability, and has provided fixes for those supported Windows builds. However, the vulnerability may also exist in older versions of Windows as the MSHTML Platform and other components were integral to Internet Explorer 11, which was released on Windows 8 in 2013.

CVE-2024-6197 is one of the publicly disclosed zero-days that has not been seen being exploited in the wild yet. It’s been marked as Exploitation Less Likely, but combining it with other TTPs or vulnerabilities could result in easier exploitation of the vulnerability. An attacker who can successfully get a client to connect to a malicious server with a curl command could potentially reach remote code execution on the victim system, at the moment that would result in only a crash of the system.

Windows Lifecycle Management

With only one year remaining until Windows 10 reaches the end of support from Microsoft on October 14, 2025, now is the time to start planning hardware migrations and necessary updates to keep systems on supported Windows builds. While Windows 10 has provided over a decade of reliable service—and many end-users have known only this operating system—it is important for Managed Service Providers (MSPs) to have prepared and led their clients through the required end-user training and project work before support ends. Planning a significant transition like this ahead of time is always easier than trying to convince end-users to give up an out-of-support system that still allows them to perform their daily tasks.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd