2 Zero-Day Bugs in Microsoft’s Nov. Update Under Exploit

Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as a part of its month-to-month safety replace. And so they might quickly start concentrating on two different publicly disclosed, however as but unexploited, flaws.

The 4 zero-day bugs are amongst a set of 89 frequent vulnerabilities and exposures (CVEs) that Microsoft addressed in November’s Patch Tuesday. The batch incorporates a considerably excessive share of distant code execution (RCE) vulnerabilities, along with the standard assortment of elevation of privileges flaws, spoofing vulnerabilities, safety bypass, denial-of-service points, and different vulnerability courses. Microsoft recognized eight of the issues as points that attackers usually tend to exploit, although researchers pointed to different flaws as nicely which are of doubtless of excessive curiosity to adversaries.

Microsoft Adopts CSAF Customary

Together with the November security update, Microsoft additionally announced its adoption of Common Security Advisory Framework (CSAF), an OASIS commonplace for disclosing vulnerabilities in machine-readable type. “CSAF information are supposed to be consumed by computer systems extra so than by people,” Microsoft mentioned in a weblog publish. It ought to assist organizations speed up their vulnerability response and remediation processes, the corporate famous.

“This can be a huge win for the security community and a welcome addition to Microsoft’s safety pages,” mentioned Tyler Reguly, affiliate director of safety R&D at Fortra, by way of e mail. “This can be a commonplace that has been adopted by many software program distributors and it’s nice to see that Microsoft is following swimsuit.”

Zero-Day Bugs Underneath Lively Exploit

One of many zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a user’s NTLMv2 hash for validating credentials in Home windows environments. The hashes enable attackers to authenticate as official customers, and entry purposes and information to which they’ve permissions. The vulnerability impacts all Home windows variations and requires minimal consumer interplay to take advantage of. Merely deciding on or inspecting a file might set off the vulnerability, Microsoft warned.

______________________________

Do not miss the upcoming free Dark Reading Virtual Event, “Know Your Enemy: Understanding Cybercriminals and Nation-State Menace Actors,” Nov. 14 at 11 a.m. ET. Do not miss classes on understanding MITRE ATT&CK, utilizing proactive safety as a weapon, and a masterclass in incident response; and a bunch of prime audio system like Larry Larsen from the Navy Credit score Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Learn of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

______________________________

“To my information, it is the third such vulnerability that may disclose a consumer’s NTLMv2 hash that was exploited within the wild in 2024,” Satnam Narang, senior employees engineer at Tenable, wrote in an emailed remark. The opposite two are CVE-2024-21410 in Microsoft Trade Server from February, and CVE-2024-38021 in Microsoft Workplace from July.

“One factor is for certain,” in keeping with Narang. “Attackers proceed to be adamant about discovering and exploiting zero-day vulnerabilities that may disclose NTLMv2 hashes.”

The second bug beneath lively exploit in Microsoft’s newest replace is CVE-2024-49039 (CVSS 8.8), a Home windows Job Scheduler elevation of privilege bug that enables an attacker to execute distant process calls (RPC) usually obtainable solely to privileged accounts.

“On this case, a profitable assault might be carried out from a low privilege AppContainer,” Microsoft mentioned. “The attacker might elevate their privileges and execute code or entry sources at a better integrity stage than that of the AppContainer execution setting.”

The truth that it was Google’s Menace Evaluation Group that found and reported this flaw to Microsoft means that the attackers at the moment exploiting the flaw are both a nation-state-backed group or different superior persistent menace actor, Narang mentioned.

“An attacker can carry out this exploit as a low-privileged AppContainer and successfully execute RPCs that ought to be obtainable solely to privileged duties,” added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, by way of e mail. “It’s unclear what RPCs are affected right here, but it surely might give an attacker entry to raise privileges and execute code on a distant machine, in addition to the machine wherein they’re executing the vulnerability.”

Beforehand Disclosed however Unexploited Zero-Days

One of many two already disclosed — however not but exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Lively Listing Certificates Providers that attackers might use to realize area administrator entry. Microsoft’s advisory listed a number of suggestions for organizations to safe certificates templates, together with eradicating overly broad enrollment rights for customers or teams, eradicating unused templates, and implementing extra measures to safe templates that enable customers to specify a topic within the request.  

Microsoft is monitoring the opposite publicly disclosed however unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Home windows Trade Server spoofing flaw. “The first subject lies in how Trade processes … headers, enabling attackers to assemble emails that falsely seem like from official sources,” Mike Walters, president and co-founder of Action1, wrote in a blog post. “This functionality is especially helpful for spear phishing and different types of email-based deception.”

RCE Safety Bugs Have a Massive Month

Almost 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November replace are RCE vulnerabilities that enable distant attackers to execute arbitrary code on susceptible programs. Some enable for unauthenticated RCE, whereas others require an attacker to have authenticated entry to take advantage of the bug. A lot of the RCEs in Microsoft’s newest replace have an effect on varied variations of MS SQL Server. Different impacted applied sciences embrace MS Workplace 2016, MS Defender for iOS, MS Excel 2016, and Home windows Server 2012, 2022, and 2025, mentioned Will Bradle, safety guide at NetSPI, in an emailed assertion.

Among the many most important of the RCEs, in keeping with Walters, is CVE-2024-43639 in Home windows Kerberos. The bug has a near-maximum CVSS severity rating of 9.8 of 10 as a result of, amongst different issues, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as one thing that attackers are much less more likely to exploit. However placing it on the again burner for that motive might be a mistake.

“Kerberos is a elementary part of Home windows environments, essential for authenticating consumer and repair identities,” Walters added. “This vulnerability turns Kerberos right into a high-value goal, permitting attackers to take advantage of the truncation flaw to craft messages that Kerberos fails to course of securely, doubtlessly enabling the execution of arbitrary code.”

Bradle pointed to CVE-2024-49050 in Visible Studio Code Python Extension as one other RCE on this month’s set that deserves precedence consideration. “The extension at the moment has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS rating of 8.8,” he mentioned. “Microsoft has patched the VSCode extension, and updates ought to be put in instantly.”

Immersive Labs’ McCarthy additionally recognized a number of different flaws that organizations would do nicely to deal with rapidly. They embrace the crucial CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visible Studio; CVE-2024-49019 (CVSS 7.8), an Lively Listing privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Phrase safety bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw within the Home windows NT OS kernel that permits attacker to realize system stage entry on affected programs. Importantly, Microsoft has assessed the latter vulnerability as one which attackers usually tend to exploit.