News
Microsoft Addresses 4 Zero-Day Holes in November Security Patch
Microsoft's monthly security update arrived on Tuesday, packed with 90 fixes for the company's portfolio of products and services, with four of the items addressing vulnerabilities that are either being actively exploited or publicly disclosed.
Let's cover the actively exploited items first. CVE-2024-49039 is a recently identified vulnerability in the Windows Task Scheduler that allows authenticated attackers on vulnerable systems to elevate their privileges by opening a malicious application. Exploiting this flaw grants attackers access to restricted resources and enables them to execute code, such as remote procedure call (RPC) functions. Microsoft disclosed that this vulnerability was exploited as a zero-day in the wild, although specifics on its exploitation are limited.
This flaw, attributed to multiple sources, including Google's Threat Analysis Group (TAG), suggests the involvement of advanced persistent threats (APT) or nation-states. The attack pattern aligns with targeted attack campaigns often associated with such high-level threat actors.
The second flaw in active exploitation is an NTLM hash disclosure spoofing vulnerability (CVE-2024-43451), which could lead to an attacker gaining info on the NTLMv2 hash, which is used to authenticate a user. While this flaw targets the deprecated Windows Explorer, attackers can still exploit the flaw for those using the Windows Explorer mode in Microsoft Edge.
If this zero-day looks familiar, you're not alone. Microsoft has been busy dealing with similar NTLM hash flaws this year. By security firm Tenable research engineer Satnam Narang's count, this is the third time Microsoft has had to address an active NTLM attack in 2024, with the latest patched in July. And by Narang's analysis, this won't be the last we see.
"While we don’t have insight into the in-the-wild exploitation of CVE-2024-43451 at this time, one thing is certain: attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems," said Narang.
The final two zero-day threats deal with items that, while not currently in active exploit, are publicly know. So expect attacks to pop up soon. First up is CVE-2024-49019, an elevation of privilege vulnerability in Active Directory's certificate services. If successfully exploited, an attacker could gain domain administrator privileges.
Microsoft has provided some guidance for those wondering if their public key infrastructure environment is a threat for attack: "Check if you have published any certificates created using a version 1 certificate template where the Source of subject name is set to 'Supplied in the request' and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers," wrote Microsoft. "An example is the built-in Web Server template, but it is not vulnerable by default due to its restricted Enroll permissions."
November's final zero-day flaw fix targets a server spoofing vulnerability (CVE-2024-49040) in Microsoft Exchange Server 2016 and 2019. While Microsoft has not provided much detail on this one, the info is out there in the wrong hands – so patch before active attacks appear.
Once IT has dealt with the above four zero-day vulnerability bulletins, it's recommended to move on to this month's four "critical" bulletin items:
- CVE-2024-43490: Remote code execution vulnerability fix for.NET and Visual Studio.
- CVE-2024-49056: Elevation of privilege vulnerability fix for Airlift.microsoft.com.
- CVE-2024-43625: Elevation of privilege vulnerability fix for Windows VMSwitch.
- CVE-2024-43639: Remote code execution vulnerability fix for Windows Kerberos.
The full list of this month's bulletins can be found here.