Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as a part of its month-to-month safety replace. And so they may quickly start concentrating on two different publicly disclosed, however as but unexploited, flaws.
The 4 zero-day bugs are amongst a set of 89 widespread vulnerabilities and exposures (CVEs) that Microsoft addressed in November’s Patch Tuesday. The batch incorporates a considerably excessive share of distant code execution (RCE) vulnerabilities, along with the same old assortment of elevation of privileges flaws, spoofing vulnerabilities, safety bypass, denial-of-service points, and different vulnerability lessons. Microsoft recognized eight of the issues as points that attackers usually tend to exploit, although researchers pointed to different flaws as nicely which can be of seemingly of excessive curiosity to adversaries.
Microsoft Adopts CSAF Commonplace
Together with the November safety replace, Microsoft additionally introduced its adoption of Frequent Safety Advisory Framework (CSAF), an OASIS commonplace for disclosing vulnerabilities in machine-readable type. “CSAF recordsdata are supposed to be consumed by computer systems extra so than by people,” Microsoft mentioned in a weblog submit. It ought to assist organizations speed up their vulnerability response and remediation processes, the corporate famous.
“It is a big win for the safety neighborhood and a welcome addition to Microsoft’s safety pages,” mentioned Tyler Reguly, affiliate director of safety R&D at Fortra, by way of electronic mail. “It is a commonplace that has been adopted by many software program distributors and it’s nice to see that Microsoft is following go well with.”
Zero-Day Bugs Beneath Energetic Exploit
One of many zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a consumer’s NTLMv2 hash for validating credentials in Home windows environments. The hashes permit attackers to authenticate as respectable customers, and entry purposes and information to which they’ve permissions. The vulnerability impacts all Home windows variations and requires minimal consumer interplay to use. Merely choosing or inspecting a file may set off the vulnerability, Microsoft warned.
______________________________
Do not miss the upcoming free Darkish Studying Digital Occasion, “Know Your Enemy: Understanding Cybercriminals and Nation-State Risk Actors,” Nov. 14 at 11 a.m. ET. Do not miss classes on understanding MITRE ATT&CK, utilizing proactive safety as a weapon, and a masterclass in incident response; and a number of prime audio system like Larry Larsen from the Navy Credit score Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Learn of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!
______________________________
“To my data, it is the third such vulnerability that may disclose a consumer’s NTLMv2 hash that was exploited within the wild in 2024,” Satnam Narang, senior workers engineer at Tenable, wrote in an emailed remark. The opposite two are CVE-2024-21410 in Microsoft Trade Server from February, and CVE-2024-38021 in Microsoft Workplace from July.
“One factor is definite,” in keeping with Narang. “Attackers proceed to be adamant about discovering and exploiting zero-day vulnerabilities that may disclose NTLMv2 hashes.”
The second bug below lively exploit in Microsoft’s newest replace is CVE-2024-49039 (CVSS 8.8), a Home windows Job Scheduler elevation of privilege bug that enables an attacker to execute distant process calls (RPC) usually accessible solely to privileged accounts.
“On this case, a profitable assault may very well be carried out from a low privilege AppContainer,” Microsoft mentioned. “The attacker may elevate their privileges and execute code or entry assets at a better integrity stage than that of the AppContainer execution setting.”
The truth that it was Google’s Risk Evaluation Group that found and reported this flaw to Microsoft means that the attackers at present exploiting the flaw are both a nation-state-backed group or different superior persistent risk actor, Narang mentioned.
“An attacker can carry out this exploit as a low-privileged AppContainer and successfully execute RPCs that must be accessible solely to privileged duties,” added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, by way of electronic mail. “It’s unclear what RPCs are affected right here, but it surely may give an attacker entry to raise privileges and execute code on a distant machine, in addition to the machine by which they’re executing the vulnerability.”
Beforehand Disclosed however Unexploited Zero-Days
One of many two already disclosed — however not but exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Energetic Listing Certificates Companies that attackers may use to achieve area administrator entry. Microsoft’s advisory listed a number of suggestions for organizations to safe certificates templates, together with eradicating overly broad enrollment rights for customers or teams, eradicating unused templates, and implementing extra measures to safe templates that permit customers to specify a topic within the request.
Microsoft is monitoring the opposite publicly disclosed however unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Home windows Trade Server spoofing flaw. “The first concern lies in how Trade processes … headers, enabling attackers to assemble emails that falsely seem like from respectable sources,” Mike Walters, president and co-founder of Action1, wrote in a weblog submit. “This functionality is especially helpful for spear phishing and different types of email-based deception.”
RCE Safety Bugs Have a Large Month
Almost 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November replace are RCE vulnerabilities that permit distant attackers to execute arbitrary code on weak programs. Some permit for unauthenticated RCE, whereas others require an attacker to have authenticated entry to use the bug. A lot of the RCEs in Microsoft’s newest replace have an effect on varied variations of MS SQL Server. Different impacted applied sciences embrace MS Workplace 2016, MS Defender for iOS, MS Excel 2016, and Home windows Server 2012, 2022, and 2025, mentioned Will Bradle, safety marketing consultant at NetSPI, in an emailed assertion.
Among the many most crucial of the RCEs, in keeping with Walters, is CVE-2024-43639 in Home windows Kerberos. The bug has a near-maximum CVSS severity rating of 9.8 of 10 as a result of, amongst different issues, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as one thing that attackers are much less more likely to exploit. However placing it on the again burner for that cause may very well be a mistake.
“Kerberos is a basic part of Home windows environments, essential for authenticating consumer and repair identities,” Walters added. “This vulnerability turns Kerberos right into a high-value goal, permitting attackers to use the truncation flaw to craft messages that Kerberos fails to course of securely, probably enabling the execution of arbitrary code.”
Bradle pointed to CVE-2024-49050 in Visible Studio Code Python Extension as one other RCE on this month’s set that deserves precedence consideration. “The extension at present has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS rating of 8.8,” he mentioned. “Microsoft has patched the VSCode extension, and updates must be put in instantly.”
Immersive Labs’ McCarthy additionally recognized a number of different flaws that organizations would do nicely to deal with rapidly. They embrace the crucial CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visible Studio; CVE-2024-49019 (CVSS 7.8), an Energetic Listing privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Phrase safety bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw within the Home windows NT OS kernel that permits attacker to achieve system stage entry on affected programs. Importantly, Microsoft has assessed the latter vulnerability as one which attackers usually tend to exploit.
