Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as a part of its month-to-month safety replace. And so they may quickly start focusing on two different publicly disclosed, however as but unexploited, flaws.
The 4 zero-day bugs are amongst a set of 89 frequent vulnerabilities and exposures (CVEs) that Microsoft addressed in November’s Patch Tuesday. The batch accommodates a considerably excessive share of distant code execution (RCE) vulnerabilities, along with the same old assortment of elevation of privileges flaws, spoofing vulnerabilities, safety bypass, denial-of-service points, and different vulnerability lessons. Microsoft recognized eight of the issues as points that attackers usually tend to exploit, although researchers pointed to different flaws as nicely which might be of possible of excessive curiosity to adversaries.
Microsoft Adopts CSAF Customary
Together with the November safety replace, Microsoft additionally introduced its adoption of Frequent Safety Advisory Framework (CSAF), an OASIS commonplace for disclosing vulnerabilities in machine-readable type. “CSAF recordsdata are supposed to be consumed by computer systems extra so than by people,” Microsoft stated in a weblog put up. It ought to assist organizations speed up their vulnerability response and remediation processes, the corporate famous.
“This can be a big win for the safety neighborhood and a welcome addition to Microsoft’s safety pages,” stated Tyler Reguly, affiliate director of safety R&D at Fortra, by way of e-mail. “This can be a commonplace that has been adopted by many software program distributors and it’s nice to see that Microsoft is following go well with.”
Zero-Day Bugs Below Lively Exploit
One of many zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a consumer’s NTLMv2 hash for validating credentials in Home windows environments. The hashes permit attackers to authenticate as reputable customers, and entry functions and information to which they’ve permissions. The vulnerability impacts all Home windows variations and requires minimal consumer interplay to use. Merely choosing or inspecting a file may set off the vulnerability, Microsoft warned.
______________________________
Do not miss the upcoming free Darkish Studying Digital Occasion, “Know Your Enemy: Understanding Cybercriminals and Nation-State Risk Actors,” Nov. 14 at 11 a.m. ET. Do not miss classes on understanding MITRE ATT&CK, utilizing proactive safety as a weapon, and a masterclass in incident response; and a bunch of prime audio system like Larry Larsen from the Navy Credit score Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Learn of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!
______________________________
“To my data, it is the third such vulnerability that may disclose a consumer’s NTLMv2 hash that was exploited within the wild in 2024,” Satnam Narang, senior workers engineer at Tenable, wrote in an emailed remark. The opposite two are CVE-2024-21410 in Microsoft Alternate Server from February, and CVE-2024-38021 in Microsoft Workplace from July.
“One factor is for certain,” in accordance with Narang. “Attackers proceed to be adamant about discovering and exploiting zero-day vulnerabilities that may disclose NTLMv2 hashes.”
The second bug beneath energetic exploit in Microsoft’s newest replace is CVE-2024-49039 (CVSS 8.8), a Home windows Process Scheduler elevation of privilege bug that enables an attacker to execute distant process calls (RPC) usually accessible solely to privileged accounts.
“On this case, a profitable assault may very well be carried out from a low privilege AppContainer,” Microsoft stated. “The attacker may elevate their privileges and execute code or entry assets at a better integrity stage than that of the AppContainer execution atmosphere.”
The truth that it was Google’s Risk Evaluation Group that found and reported this flaw to Microsoft means that the attackers at the moment exploiting the flaw are both a nation-state-backed group or different superior persistent menace actor, Narang stated.
“An attacker can carry out this exploit as a low-privileged AppContainer and successfully execute RPCs that ought to be accessible solely to privileged duties,” added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, by way of e-mail. “It’s unclear what RPCs are affected right here, but it surely may give an attacker entry to raise privileges and execute code on a distant machine, in addition to the machine during which they’re executing the vulnerability.”
Beforehand Disclosed however Unexploited Zero-Days
One of many two already disclosed — however not but exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Lively Listing Certificates Providers that attackers may use to realize area administrator entry. Microsoft’s advisory listed a number of suggestions for organizations to safe certificates templates, together with eradicating overly broad enrollment rights for customers or teams, eradicating unused templates, and implementing further measures to safe templates that permit customers to specify a topic within the request. Â
Microsoft is monitoring the opposite publicly disclosed however unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Home windows Alternate Server spoofing flaw. “The first challenge lies in how Alternate processes … headers, enabling attackers to assemble emails that falsely seem like from reputable sources,” Mike Walters, president and co-founder of Action1, wrote in a weblog put up. “This functionality is especially helpful for spear phishing and different types of email-based deception.”
RCE Safety Bugs Have a Huge Month
Practically 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November replace are RCE vulnerabilities that permit distant attackers to execute arbitrary code on weak programs. Some permit for unauthenticated RCE, whereas others require an attacker to have authenticated entry to use the bug. Many of the RCEs in Microsoft’s newest replace have an effect on numerous variations of MS SQL Server. Different impacted applied sciences embrace MS Workplace 2016, MS Defender for iOS, MS Excel 2016, and Home windows Server 2012, 2022, and 2025, stated Will Bradle, safety guide at NetSPI, in an emailed assertion.
Among the many most crucial of the RCEs, in accordance with Walters, is CVE-2024-43639 in Home windows Kerberos. The bug has a near-maximum CVSS severity rating of 9.8 of 10 as a result of, amongst different issues, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as one thing that attackers are much less more likely to exploit. However placing it on the again burner for that purpose may very well be a mistake.
“Kerberos is a basic element of Home windows environments, essential for authenticating consumer and repair identities,” Walters added. “This vulnerability turns Kerberos right into a high-value goal, permitting attackers to use the truncation flaw to craft messages that Kerberos fails to course of securely, doubtlessly enabling the execution of arbitrary code.”
Bradle pointed to CVE-2024-49050 in Visible Studio Code Python Extension as one other RCE on this month’s set that deserves precedence consideration. “The extension at the moment has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS rating of 8.8,” he stated. “Microsoft has patched the VSCode extension, and updates ought to be put in instantly.”
Immersive Labs’ McCarthy additionally recognized a number of different flaws that organizations would do nicely to deal with shortly. They embrace the essential CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visible Studio; CVE-2024-49019 (CVSS 7.8), an Lively Listing privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Phrase safety bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw within the Home windows NT OS kernel that allows attacker to realize system stage entry on affected programs. Importantly, Microsoft has assessed the latter vulnerability as one which attackers usually tend to exploit.
