Microsoft closed out its Patch Tuesday updates for 2024 with fixes for a complete of 72 safety flaws spanning its software program portfolio, together with one which it stated has been exploited within the wild.
Of the 72 flaws, 17 are rated Vital, 54 are rated Essential, and one is rated Reasonable in severity. Thirty-one of the vulnerabilities are distant code execution flaws, and 27 of them permit for the elevation of privileges.
That is along with 13 vulnerabilities the corporate has addressed in its Chromium-based Edge browser for the reason that launch of final month’s safety replace. In complete, Microsoft has resolved as many as 1,088 vulnerabilities in 2024 alone, per Fortra.
The vulnerability that Microsoft has acknowledged as having been actively exploited is CVE-2024-49138 (CVSS rating: 7.8), a privilege escalation flaw within the Home windows Widespread Log File System (CLFS) Driver.
“An attacker who efficiently exploited this vulnerability may acquire SYSTEM privileges,” the corporate stated in an advisory, crediting cybersecurity firm CrowdStrike for locating and reporting the flaw.
It is value noting that CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). It is also the ninth vulnerability in the identical part to be patched this yr.
“Although in-the-wild exploitation particulars aren’t identified but, trying again on the historical past of CLFS driver vulnerabilities, it’s fascinating to notice that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the previous few years,” Satnam Narang, senior workers analysis engineer at Tenable, instructed The Hacker Information.
“In contrast to superior persistent risk teams that sometimes concentrate on precision and persistence, ransomware operators and associates are centered on the smash and seize techniques by any means needed. By utilizing elevation of privilege flaws like this one in CLFS, ransomware associates can transfer by a given community in an effort to steal and encrypt knowledge and start extorting their victims.”
The truth that CLFS has grow to be a lovely assault pathway for malicious actors has not gone unnoticed by Microsoft, which stated it is working so as to add a brand new verification step when parsing such log recordsdata.
“As a substitute of attempting to validate particular person values in logfile knowledge constructions, this safety mitigation offers CLFS the flexibility to detect when log recordsdata have been modified by something apart from the CLFS driver itself,” Microsoft famous in late August 2024. “This has been completed by including Hash-based Message Authentication Codes (HMAC) to the tip of the log file.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has since added the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) companies to use needed remediations by December 31, 2024.
The bug with the very best severity on this month’s launch is a distant code execution flaw impacting Home windows Light-weight Listing Entry Protocol (LDAP). It is tracked as CVE-2024-49112 (CVSS rating: 9.8).
“An unauthenticated attacker who efficiently exploited this vulnerability may acquire code execution by a specifically crafted set of LDAP calls to execute arbitrary code inside the context of the LDAP service,” Microsoft stated.
Additionally of word are three different distant code execution flaws impacting Home windows Hyper-V (CVE-2024-49117, CVSS rating: 8.8), Distant Desktop Shopper (CVE-2024-49105, CVSS rating: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS rating: 8.4).
The event comes as 0patch launched unofficial fixes for a Home windows zero-day vulnerability that enables attackers to seize NT LAN Supervisor (NTLM) credentials. Further particulars concerning the flaw have been withheld till an official patch turns into out there.
“The vulnerability permits an attacker to acquire person’s NTLM credentials by merely having the person view a malicious file in Home windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder the place such file was beforehand mechanically downloaded from attacker’s net web page,” Mitja Kolsek stated.
In late October, free unofficial patches have been additionally made out there to deal with a Home windows Themes zero-day vulnerability that enables attackers to steal a goal’s NTLM credentials remotely.
0patch has additionally issued micropatches for one more beforehand unknown vulnerability on Home windows Server 2012 and Server 2012 R2 that enables an attacker to bypass Mark-of-the-Internet (MotW) protections on sure kinds of recordsdata. The problem is believed to have been launched over two years in the past.
With NTLM coming beneath in depth exploitation through relay and pass-the-hash assaults, Microsoft has introduced plans to deprecate the legacy authentication protocol in favor of Kerberos. Moreover, it has taken the step of enabling Prolonged Safety for Authentication (EPA) by default for brand new and present installs of Alternate 2019.
Microsoft stated it has rolled out an identical safety enchancment to Azure Listing Certificates Providers (AD CS) by enabling EPA by default with the discharge of Home windows Server 2025, which additionally removes assist for NTLM v1 and deprecates NTLM v2. These adjustments additionally apply to Home windows 11 24H2.
“Moreover, as a part of the identical Home windows Server 2025 launch, LDAP now has channel binding enabled by default,” Redmond’s safety crew stated earlier this week. “These safety enhancements mitigate threat of NTLM relaying assaults by default throughout three on-premise providers: Alternate Server, Lively Listing Certificates Providers (AD CS), and LDAP.”
“As we progress in the direction of disabling NTLM by default, instant, short-term adjustments, equivalent to enabling EPA in Alternate Server, AD CS, and LDAP reinforce a ‘safe by default’ posture and safeguard customers from real-world assaults.”
Software program Patches from Different Distributors
Outdoors Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
