Microsoft patches critical Windows security vulnerabilities

Microsoft patched the primary vulnerability not within Windows itself but in Configuration Manager. A flaw, as outlined in CVE-2024-43468, allowed for server-side code execution. The description is somewhat concise, but in severe cases, this flaw could affect all devices enrolled in a particular instance of Intune. Although comprehensive details are currently unavailable, this patch has an extensive deployment guide.

Concerning Windows, the update list is led by numerous patched vulnerabilities in the RRAS service, known as Routing and Remote Access. This VPN server/gateway service was once widely used in homogeneous Windows Server environments. Most RRAS vulnerabilities do not require authentication, as sending a maliciously formatted request could suffice for remote code execution.

More than thirteen vulnerabilities have been identified in RRAS, all reported anonymously. The volume suggests a single person discovered them. This phenomenon is common in security patches, where specific system components become the focus of many experts, leading to concentrated expertise in particular areas. Mastering one of the many Windows components demands significant effort and time, making it challenging to achieve broad versatility.

Additional vulnerabilities were detected in the Remote Desktop Protocol (RDP), which remains widely used, even on servers. Although the recommended server configuration methods for Windows are PowerShell and the Windows Admin Center, two issues (CVE-2024-43599) involve the client executing code when connecting to a malicious server. Another issue (CVE-2024-43582) involves the server executing a malicious request as code.

October's updates also include patches for the telephony server (CVE-2024-43518), which, like RRAS, is not installed by default. There is also an update for the less commonly discussed Remote Registry service (CVE-2024-43532), one of the oldest in NT, which still uses raw RPC communication. The issue with Hyper-V (CVE-2024-20659) is noteworthy but requires considerable effort to exploit.

Perhaps the most intriguing update is the patch for the Curl tool, primarily known from the Unix domain. Although Curl in Windows had not required WSL, allowing it to be fully native, it had been outdated for several months. The vulnerability CVE-2024-6197 was patched in July, but Windows users had to wait a little longer. While the vulnerability was rated 8.8, this was arguably an overestimation. The Curl project itself assigned a lower severity rating.

The scope of updates is considerable. Though Windows 11 24H2 was officially released last week, its updates reached 797MB, exceeding the 744MB update for its predecessor. This is because 24H2 also forms the forthcoming Windows Server 2025 foundation. However, the update for Windows 10 is smaller at 636MB, while the largest update is for Windows Server 2016, at 1.65GB. The cumulative updates for this version no longer increase in size, as they effectively replace the entire system.