"Microsoft Fixes Five Zero-Days in October Patch Tuesday"

Microsoft has recently patched two zero-day bugs under active exploitation and three that were publicly disclosed in this month’s Patch Tuesday update round.  The first exploited zero-day bug is CVE-2024-43572, a remote code execution (RCE) vulnerability in the Microsoft Management Console with a CVSS score of 7.8.  Threat actors could pair it with phishing, privilege escalation, or network propagation attacks to achieve data exfiltration, lateral movement, system compromise, and deployment of backdoors.  The second exploited zero-day, CVE-2024-43573, is a Windows MSHTML platform spoofing vulnerability, which enables threat actors to trick users into believing they are visiting a legitimate site in order to harvest information or inject malicious payloads.  Although it only has a CVSS score of 6.5, it could lead to a “significant” risk of phishing or data compromise.  The three other zero-day vulnerabilities that have not been exploited yet but have been publicly disclosed are CVE-2024-6197, CVE-2024-43583, and CVE-2024-20659.  

Infosecurity Magazine reports: "Microsoft Fixes Five Zero-Days in October Patch Tuesday"