TechMicrosoft patches critical Windows security vulnerabilities

Microsoft patches critical Windows security vulnerabilities

Microsoft has released the October security patches for Windows systems. The most critical updates address vulnerabilities in the remote access server and telephony. Other notable updates include patches for Remote Registry, Hyper-V, and Curl, a tool that has been part of the system since version 1809.

Windows Update
Windows Update
Images source: © GETTY | NurPhoto
Kamil J. Dudek

Microsoft patched the primary vulnerability not within Windows itself but in Configuration Manager. A flaw, as outlined in CVE-2024-43468, allowed for server-side code execution. The description is somewhat concise, but in severe cases, this flaw could affect all devices enrolled in a particular instance of Intune. Although comprehensive details are currently unavailable, this patch has an extensive deployment guide.

Concerning Windows, the update list is led by numerous patched vulnerabilities in the RRAS service, known as Routing and Remote Access. This VPN server/gateway service was once widely used in homogeneous Windows Server environments. Most RRAS vulnerabilities do not require authentication, as sending a maliciously formatted request could suffice for remote code execution.

More than thirteen vulnerabilities have been identified in RRAS, all reported anonymously. The volume suggests a single person discovered them. This phenomenon is common in security patches, where specific system components become the focus of many experts, leading to concentrated expertise in particular areas. Mastering one of the many Windows components demands significant effort and time, making it challenging to achieve broad versatility.

Other vulnerabilities

Additional vulnerabilities were detected in the Remote Desktop Protocol (RDP), which remains widely used, even on servers. Although the recommended server configuration methods for Windows are PowerShell and the Windows Admin Center, two issues (CVE-2024-43599) involve the client executing code when connecting to a malicious server. Another issue (CVE-2024-43582) involves the server executing a malicious request as code.

October's updates also include patches for the telephony server (CVE-2024-43518), which, like RRAS, is not installed by default. There is also an update for the less commonly discussed Remote Registry service (CVE-2024-43532), one of the oldest in NT, which still uses raw RPC communication. The issue with Hyper-V (CVE-2024-20659) is noteworthy but requires considerable effort to exploit.

Curl for Windows

Perhaps the most intriguing update is the patch for the Curl tool, primarily known from the Unix domain. Although Curl in Windows had not required WSL, allowing it to be fully native, it had been outdated for several months. The vulnerability CVE-2024-6197 was patched in July, but Windows users had to wait a little longer. While the vulnerability was rated 8.8, this was arguably an overestimation. The Curl project itself assigned a lower severity rating.

The scope of updates is considerable. Though Windows 11 24H2 was officially released last week, its updates reached 797MB, exceeding the 744MB update for its predecessor. This is because 24H2 also forms the forthcoming Windows Server 2025 foundation. However, the update for Windows 10 is smaller at 636MB, while the largest update is for Windows Server 2016, at 1.65GB. The cumulative updates for this version no longer increase in size, as they effectively replace the entire system.

Related content
© Daily Wrap
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.