Microsoft has patched a brace of zero days that are under active attack.
CVE-2024-43573 and CVE-2024-43572 both only get a “moderate” rating but are listed as exploited – with Redmond, as is now customary, giving no detail on the scale of exploitation in its October Patch Tuesday notes.
It pushed fixes for a total of 117 vulnerabilities, three rated critical, five as publicly known , and eight marked as “exploitation more likely.”
From the Zero Day Initiative to your security partner, plenty of folks in the ecosystem will have detailed breakdowns; do the dutiful.
October Patch Tuesday: What else?
Others also pushed large updates, with Adobe pushing nine patch packages fixing 52 CVEs, none listed as known exploited.
As Action1 notes, other recent major security fixes to be aware of include:
- Apple: 33 vulnerabilities (Note that the macOS Sequoia (15) update is breaking a LOT of systems according to user reports.)
- Zimbra: CVE-2024-45519 (CVSS 10)
- NVIDIA: CVE-2024-0132 (CVSS 9: See our write-up here)
- Cisco: 11 vulnerabilities (including the CVSS 9.9 gem CVE-2024-20432)
- GitLab: CVE-2024-6678 (CVSS 9.9) and other vulnerabilities
- VMware: CVE-2024-38812 (See our write-up here)
- Ivanti: CVE-2024-29847 (CVSS 10 and an exploit is available.)
SAP also issued security fixes, including an update to security note #3479478 that patches a CVSS 9.8 “missing authentication check vulnerability in SAP BusinessObjects Business Intelligence Platform” first fixed in August; it now includes a patch for customers on different servers.
