Microsoft closed out its Patch Tuesday updates for 2024 with fixes for a complete of 72 safety flaws spanning its software program portfolio, together with one which it mentioned has been exploited within the wild.
Of the 72 flaws, 17 are rated Important, 54 are rated Essential, and one is rated Reasonable in severity. Thirty-one of the vulnerabilities are distant code execution flaws, and 27 of them enable for the elevation of privileges.
That is along with 13 vulnerabilities the corporate has addressed in its Chromium-based Edge browser because the launch of final month’s safety replace. In complete, Microsoft has resolved as many as 1088 vulnerabilities in 2024 alone, per Fortra.
The vulnerability that Microsoft has acknowledged as having been actively exploited is CVE-2024-49138 (CVSS rating: 7.8), a privilege escalation flaw within the Home windows Frequent Log File System (CLFS) Driver.
“An attacker who efficiently exploited this vulnerability might acquire SYSTEM privileges,” the corporate mentioned in an advisory, crediting cybersecurity firm CrowdStrike for locating and reporting the flaw.
It is value noting that CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). It is also the ninth vulnerability in the identical element to be patched this 12 months.
“Although in-the-wild exploitation particulars aren’t identified but, trying again on the historical past of CLFS driver vulnerabilities, it’s attention-grabbing to notice that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the previous few years,” Satnam Narang, senior workers analysis engineer at Tenable, informed The Hacker Information.
“In contrast to superior persistent menace teams that usually concentrate on precision and endurance, ransomware operators and associates are centered on the smash and seize techniques by any means needed. Through the use of elevation of privilege flaws like this one in CLFS, ransomware associates can transfer by way of a given community in an effort to steal and encrypt knowledge and start extorting their victims.”
The truth that CLFS has change into a sexy assault pathway for malicious actors has not gone unnoticed by Microsoft, which mentioned it is working so as to add a brand new verification step when parsing such log information.
“As an alternative of making an attempt to validate particular person values in logfile knowledge buildings, this safety mitigation supplies CLFS the power to detect when log information have been modified by something aside from the CLFS driver itself,” Microsoft famous in late August 2024. “This has been completed by including Hash-based Message Authentication Codes (HMAC) to the top of the log file.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has since added the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) companies to use needed remediations by December 31, 2024.
The bug with the very best severity on this month’s launch is a distant code execution flaw impacting Home windows Light-weight Listing Entry Protocol (LDAP). It is tracked as CVE-2024-49112 (CVSS rating: 9.8).
“An unauthenticated attacker who efficiently exploited this vulnerability might acquire code execution by way of a specifically crafted set of LDAP calls to execute arbitrary code inside the context of the LDAP service,” Microsoft mentioned.
Additionally of notice are two different distant code execution flaws impacting Home windows Hyper-V (CVE-2024-49117, CVSS rating: 8.8), Distant Desktop Consumer (CVE-2024-49105, CVSS rating: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS rating: 8.4).
The event comes as 0patch launched unofficial fixes for a Home windows zero-day vulnerability that permits attackers to seize NT LAN Supervisor (NTLM) credentials. Further particulars in regards to the flaw have been withheld till an official patch turns into accessible.
“The vulnerability permits an attacker to acquire consumer’s NTLM credentials by merely having the consumer view a malicious file in Home windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder the place such file was beforehand robotically downloaded from attacker’s internet web page,” Mitja Kolsek mentioned.
In late October, free unofficial patches had been additionally made accessible to deal with a Home windows Themes zero-day vulnerability that permits attackers to steal a goal’s NTLM credentials remotely.
0patch has additionally issued micropatches for an additional beforehand unknown vulnerability on Home windows Server 2012 and Server 2012 R2 that permits an attacker to bypass Mark-of-the-Net (MotW) protections on sure kinds of information. The difficulty is believed to have been launched over two years in the past.
With NTLM coming below in depth exploitation through relay and pass-the-hash assaults, Microsoft has introduced plans to deprecate the legacy authentication protocol in favor of Kerberos. Moreover, it has taken the step of enabling Prolonged Safety for Authentication (EPA) by default for brand spanking new and current installs of Alternate 2019.
Microsoft mentioned it has rolled out an analogous safety enchancment to Azure Listing Certificates Companies (AD CS) by enabling EPA by default with the discharge of Home windows Server 2025, which additionally removes help for NTLM v1 and deprecates NTLM v2. These modifications additionally apply to Home windows 11 24H2.
“Moreover, as a part of the identical Home windows Server 2025 launch, LDAP now has channel binding enabled by default,” Redmond’s safety crew mentioned earlier this week. “These safety enhancements mitigate danger of NTLM relaying assaults by default throughout three on-premise companies: Alternate Server, Energetic Listing Certificates Companies (AD CS), and LDAP.”
“As we progress in the direction of disabling NTLM by default, rapid, short-term modifications, reminiscent of enabling EPA in Alternate Server, AD CS, and LDAP reinforce a ‘safe by default’ posture and safeguard customers from real-world assaults.”
Software program Patches from Different Distributors
Outdoors Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —