Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as a part of its month-to-month safety replace. And so they may quickly start concentrating on two different publicly disclosed, however as but unexploited, flaws.
The 4 zero-day bugs are amongst a set of 89 widespread vulnerabilities and exposures (CVEs) that Microsoft addressed in November’s Patch Tuesday. The batch comprises a considerably excessive share of distant code execution (RCE) vulnerabilities, along with the same old assortment of elevation of privileges flaws, spoofing vulnerabilities, safety bypass, denial-of-service points, and different vulnerability courses. Microsoft recognized eight of the failings as points that attackers usually tend to exploit, although researchers pointed to different flaws as properly which can be of probably of excessive curiosity to adversaries.
Microsoft Adopts CSAF Customary
Together with the November safety replace, Microsoft additionally introduced its adoption of Frequent Safety Advisory Framework (CSAF), an OASIS customary for disclosing vulnerabilities in machine-readable type. “CSAF information are supposed to be consumed by computer systems extra so than by people,” Microsoft mentioned in a weblog publish. It ought to assist organizations speed up their vulnerability response and remediation processes, the corporate famous.
“This can be a large win for the safety group and a welcome addition to Microsoft’s safety pages,” mentioned Tyler Reguly, affiliate director of safety R&D at Fortra, by way of electronic mail. “This can be a customary that has been adopted by many software program distributors and it’s nice to see that Microsoft is following go well with.”
Zero-Day Bugs Underneath Energetic Exploit
One of many zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a person’s NTLMv2 hash for validating credentials in Home windows environments. The hashes enable attackers to authenticate as official customers, and entry purposes and knowledge to which they’ve permissions. The vulnerability impacts all Home windows variations and requires minimal person interplay to take advantage of. Merely choosing or inspecting a file may set off the vulnerability, Microsoft warned.
______________________________
Do not miss the upcoming free Darkish Studying Digital Occasion, “Know Your Enemy: Understanding Cybercriminals and Nation-State Menace Actors,” Nov. 14 at 11 a.m. ET. Do not miss periods on understanding MITRE ATT&CK, utilizing proactive safety as a weapon, and a masterclass in incident response; and a bunch of prime audio system like Larry Larsen from the Navy Credit score Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Learn of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!
______________________________
“To my data, it is the third such vulnerability that may disclose a person’s NTLMv2 hash that was exploited within the wild in 2024,” Satnam Narang, senior employees engineer at Tenable, wrote in an emailed remark. The opposite two are CVE-2024-21410 in Microsoft Change Server from February, and CVE-2024-38021 in Microsoft Workplace from July.
“One factor is for certain,” in line with Narang. “Attackers proceed to be adamant about discovering and exploiting zero-day vulnerabilities that may disclose NTLMv2 hashes.”
The second bug beneath lively exploit in Microsoft’s newest replace is CVE-2024-49039 (CVSS 8.8), a Home windows Job Scheduler elevation of privilege bug that enables an attacker to execute distant process calls (RPC) usually out there solely to privileged accounts.
“On this case, a profitable assault may very well be carried out from a low privilege AppContainer,” Microsoft mentioned. “The attacker may elevate their privileges and execute code or entry assets at the next integrity stage than that of the AppContainer execution surroundings.”
The truth that it was Google’s Menace Evaluation Group that found and reported this flaw to Microsoft means that the attackers at the moment exploiting the flaw are both a nation-state-backed group or different superior persistent risk actor, Narang mentioned.
“An attacker can carry out this exploit as a low-privileged AppContainer and successfully execute RPCs that must be out there solely to privileged duties,” added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, by way of electronic mail. “It’s unclear what RPCs are affected right here, however it may give an attacker entry to raise privileges and execute code on a distant machine, in addition to the machine during which they’re executing the vulnerability.”
Beforehand Disclosed however Unexploited Zero-Days
One of many two already disclosed — however not but exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Energetic Listing Certificates Providers that attackers may use to realize area administrator entry. Microsoft’s advisory listed a number of suggestions for organizations to safe certificates templates, together with eradicating overly broad enrollment rights for customers or teams, eradicating unused templates, and implementing extra measures to safe templates that enable customers to specify a topic within the request.
Microsoft is monitoring the opposite publicly disclosed however unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Home windows Change Server spoofing flaw. “The first situation lies in how Change processes … headers, enabling attackers to assemble emails that falsely look like from official sources,” Mike Walters, president and co-founder of Action1, wrote in a weblog publish. “This functionality is especially helpful for spear phishing and different types of email-based deception.”
RCE Safety Bugs Have a Massive Month
Practically 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November replace are RCE vulnerabilities that enable distant attackers to execute arbitrary code on susceptible programs. Some enable for unauthenticated RCE, whereas others require an attacker to have authenticated entry to take advantage of the bug. A lot of the RCEs in Microsoft’s newest replace have an effect on numerous variations of MS SQL Server. Different impacted applied sciences embrace MS Workplace 2016, MS Defender for iOS, MS Excel 2016, and Home windows Server 2012, 2022, and 2025, mentioned Will Bradle, safety marketing consultant at NetSPI, in an emailed assertion.
Among the many most crucial of the RCEs, in line with Walters, is CVE-2024-43639 in Home windows Kerberos. The bug has a near-maximum CVSS severity rating of 9.8 of 10 as a result of, amongst different issues, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as one thing that attackers are much less more likely to exploit. However placing it on the again burner for that cause may very well be a mistake.
“Kerberos is a basic element of Home windows environments, essential for authenticating person and repair identities,” Walters added. “This vulnerability turns Kerberos right into a high-value goal, permitting attackers to take advantage of the truncation flaw to craft messages that Kerberos fails to course of securely, probably enabling the execution of arbitrary code.”
Bradle pointed to CVE-2024-49050 in Visible Studio Code Python Extension as one other RCE on this month’s set that deserves precedence consideration. “The extension at the moment has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS rating of 8.8,” he mentioned. “Microsoft has patched the VSCode extension, and updates must be put in instantly.”
Immersive Labs’ McCarthy additionally recognized a number of different flaws that organizations would do properly to handle shortly. They embrace the essential CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visible Studio; CVE-2024-49019 (CVSS 7.8), an Energetic Listing privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Phrase safety bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw within the Home windows NT OS kernel that allows attacker to realize system stage entry on affected programs. Importantly, Microsoft has assessed the latter vulnerability as one which attackers usually tend to exploit.