This week, Microsoft has confirmed another major discovery of security vulnerabilities impacting users of its products. Amidst the blur that is a report of more than 90 security issues in all, there sit four zero-day vulnerabilities and two of these, Microsoft confirmed, are being actively exploited by threat actors. Here’s what you need to know and do.
Microsoft Confirms November 2024 Patchy Tuesday Complete With Four Zero-Day Vulnerabilities
Microsoft has a very Microsoft-centric way of assessing a zero-day threat. Whereas most security professionals agree that the term relates to a vulnerability that has already been exploited by the time the vendor or any security professional discovers it, Microsoft instead uses a definition of a vulnerability that has been publicly disclosed as well as those under active attack. So it is that Microsoft includes four zero-days in the November 2024 Patch Tuesday security updates release. Of these, however, only two are known to have been under active exploitation at the time of the Patch Tuesday disclosure on Nov. 12. Of these two, one hits both markers of being publicly disclosed and actively under attack.
CVE 2024-43451 is a NT LAN Manager hash disclosure spoofing vulnerability that can expose a crucial part of the NTLM authentication protocol to an attacker. “NTLM hashing is a method used to protect passwords by converting them into a fixed-length string of characters, which is then transmitted for authentication purposes,” Ryan Braunstein, the team lead of security operations at Automox, said. In other words, when the hash is disclosed it allows the attacker to potentially authenticate as the user. While confirmed and under active exploitation, Braunstein said that the zero-day vulnerability requires user interaction. “Specifically, a user needs to open a crafted file that an attacker might send through phishing attempts,” Braunstein said.
Meanwhile, CVE 2024-49039 is a Windows Task Scheduler elevation of privilege vulnerability that could allow an attacker to, unsurprisingly, elevate their privileges on the targeted Windows system. “This elevation of privilege vulnerability exploits Remote Procedure Call functions,” Henry Smith, a senior security engineer at Automox, said, “which are essential for executing commands and transferring data between a client and server.” That attacker would first need to gain access to the target system, Smith explained, and then run a malicious application to exploit the vulnerability. “To mitigate this vulnerability,” which has functional exploit code already out there, Smith said, “patching is your most effective strategy.”
Two Microsoft Security Vulnerabilities Rate As 9.8 On The Impact Severity Scale
The big news, however, should be aimed in the direction of not one, but two, security vulnerabilities that hit a massive 9.8 on the impact severity scale, according to Tyler Reguly, associate director for security research and development at Fortra. “While the Common Vulnerability Scoring System is not an indicator of risk,” Reguly said, “scores that are a 9.8 are often pretty telling of where the issue is.” In the case of CVE-2024-43498, it’s a vulnerability in .NET that allows an unauthenticated, remote attacker to exploit .NET webapps with malicious requests. “Similarly, CVE-2024-43639 allows an unauthenticated attacker to attack Windows Kerberos in order to gain code execution,” Reguly warned.
Microsoft Windows Users Should Update Now
With the zero-days and four critical-rated vulnerabilities included in the mix, the Patch Tuesday security updates affect Microsoft users of the Windows OS, Office, SQL Server, Exchange Server, .Net and Visual Studio. “The Microsoft Windows OS updates should be your top priority this month as they resolve both known and exploited vulnerabilities,” Chris Goettl, vice president of security product management at Ivanti, said. Microsoft Exchange Server should be a priority for organizations running Exchange Server, Goetti concluded.
