Microsoft Corp. right now pushed software program updates to plug greater than 70 safety holes in its Home windows working programs and associated merchandise, together with two zero-day vulnerabilities which are already being exploited in lively assaults.
High of the heap on this Fats Patch Tuesday is CVE-2024-21412, a “safety function bypass” in the way in which Home windows handles Web Shortcut Information that Microsoft says is being focused in lively exploits. Redmond’s advisory for this bug says an attacker would want to persuade or trick a consumer into opening a malicious shortcut file.
Researchers at Pattern Micro have tied the continued exploitation of CVE-2024-21412 to a sophisticated persistent risk group dubbed “Water Hydra,” which they are saying has being utilizing the vulnerability to execute a malicious Microsoft Installer File (.msi) that in flip unloads a distant entry trojan (RAT) onto contaminated Home windows programs.
The opposite zero-day flaw is CVE-2024-21351, one other safety function bypass — this one within the built-in Home windows SmartScreen element that tries to display out doubtlessly malicious recordsdata downloaded from the Internet. Kevin Breen at Immersive Labs says it’s essential to notice that this vulnerability alone is just not sufficient for an attacker to compromise a consumer’s workstation, and as a substitute would probably be used at the side of one thing like a spear phishing assault that delivers a malicious file.
Satnam Narang, senior workers analysis engineer at Tenable, stated that is the fifth vulnerability in Home windows SmartScreen patched since 2022 and all 5 have been exploited within the wild as zero-days. They embody CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.
Narang known as particular consideration to CVE-2024-21410, an “elevation of privilege” bug in Microsoft Change Server that Microsoft says is prone to be exploited by attackers. Assaults on this flaw would result in the disclosure of NTLM hashes, which might be leveraged as a part of an NTLM relay or “cross the hash” assault, which lets an attacker masquerade as a authentic consumer with out ever having to log in.
“We all know that flaws that may disclose delicate info like NTLM hashes are very precious to attackers,” Narang stated. “A Russian-based risk actor leveraged the same vulnerability to hold out assaults – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.”
Microsoft notes that previous to its Change Server 2019 Cumulative Replace 14 (CU14), a safety function known as Prolonged Safety for Authentication (EPA), which supplies NTLM credential relay protections, was not enabled by default.
“Going ahead, CU14 allows this by default on Change servers, which is why it is very important improve,” Narang stated.
Rapid7’s lead software program engineer Adam Barnett highlighted CVE-2024-21413, a crucial distant code execution bug in Microsoft Workplace that might be exploited simply by viewing a specially-crafted message within the Outlook Preview pane.
“Microsoft Workplace sometimes shields customers from a wide range of assaults by opening recordsdata with Mark of the Internet in Protected View, which suggests Workplace will render the doc with out fetching doubtlessly malicious exterior assets,” Barnett stated. “CVE-2024-21413 is a crucial RCE vulnerability in Workplace which permits an attacker to trigger a file to open in modifying mode as if the consumer had agreed to belief the file.”
Barnett burdened that directors chargeable for Workplace 2016 installations who apply patches exterior of Microsoft Replace ought to notice the advisory lists no fewer than 5 separate patches which have to be put in to attain remediation of CVE-2024-21413; particular person replace information base (KB) articles additional notice that partially-patched Workplace installations might be blocked from beginning till the proper mixture of patches has been put in.
It’s a good suggestion for Home windows end-users to remain present with safety updates from Microsoft, which might rapidly pile up in any other case. That doesn’t imply it’s important to set up them on Patch Tuesday. Certainly, ready a day or three earlier than updating is a sane response, provided that generally updates go awry and normally inside just a few days Microsoft has fastened any points with its patches. It’s additionally sensible to again up your knowledge and/or picture your Home windows drive earlier than making use of new updates.
For a extra detailed breakdown of the person flaws addressed by Microsoft right now, try the SANS Web Storm Middle’s listing. For these admins chargeable for sustaining bigger Home windows environments, it typically pays to control Askwoody.com, which continuously factors out when particular Microsoft updates are creating issues for numerous customers.
