2 Zero-Day Bugs in Microsofts Nov. Update Under Active Exploit

  /     /     /  
Publicated : 23/11/2024   Category : security


2 Zero-Day Bugs in Microsofts Nov. Update Under Active Exploit


The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.



Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as part of its monthly security update. And they could soon begin targeting two other publicly disclosed, but as yet unexploited, flaws.
The four zero-day bugs are among a set of 89 common vulnerabilities and exposures (CVEs) that Microsoft addressed in Novembers Patch Tuesday. The batch contains a substantially high percentage of remote code execution (RCE) vulnerabilities, in addition to the usual collection of elevation of privileges flaws, spoofing vulnerabilities, security bypass, denial-of-service issues, and other vulnerability classes. Microsoft identified eight of the flaws as issues that attackers are more likely to exploit, though researchers pointed to other flaws as well that are of likely of high interest to adversaries.
Along with the
November security update,
Microsoft also
announced
its adoption of
Common Security Advisory Framework
(CSAF), an OASIS standard for disclosing vulnerabilities in machine-readable form. CSAF files are meant to be consumed by computers more so than by humans, Microsoft said in a blog post. It should help organizations accelerate their vulnerability response and remediation processes, the company noted.
This is a
huge win for the security community
and a welcome addition to Microsoft’s security pages, said Tyler Reguly, associate director of security R&D at Fortra, via email. This is a standard that has been adopted by many software vendors and it is great to see that Microsoft is following suit.
One of the zero-day bugs that attackers are already actively exploiting is
CVE-2024-43451
(CVSS 6.5 out of 10), a flaw that
discloses a users NTLMv2 hash
for validating credentials in Windows environments. The hashes allow attackers to authenticate as legitimate users, and access applications and data to which they have permissions. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Merely selecting or inspecting a file could trigger the vulnerability, Microsoft warned.

Dont miss the upcoming free
Dark Reading Virtual Event
, Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors, Nov. 14 at 11 a.m. ET.
Dont miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia.

Register now!

To my knowledge, its the third such vulnerability that can disclose a users NTLMv2 hash that was exploited in the wild in 2024, Satnam Narang, senior staff engineer at Tenable, wrote in an emailed comment. The other two are
CVE-2024-21410
in Microsoft Exchange Server from February, and
CVE-2024-38021
in Microsoft Office from July.
One thing is certain, according to Narang. Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes.
The second bug under active exploit in Microsofts latest update is
CVE-2024-49039
(CVSS 8.8), a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts.
In this case, a successful attack could be performed from a low privilege 
AppContainer
, Microsoft said. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
The fact that it was Googles Threat Analysis Group that discovered and reported this flaw to Microsoft suggests that the attackers currently exploiting the flaw are either a nation-state-backed group or other advanced persistent threat actor, Narang said.
An attacker can perform this exploit as a low-privileged AppContainer and effectively execute RPCs that should be available only to privileged tasks, added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, via email. It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability.
One of the two already disclosed — but not yet exploited — zero-days is
CVE-2024-49019
(CVSS 7.8), an elevation-of-privilege vulnerability in Active Directory Certificate Services that attackers could use to gain domain administrator access. Microsofts advisory listed several recommendations for organizations to secure certificate templates, including removing overly broad enrollment rights for users or groups, removing unused templates, and implementing additional measures to secure templates that allow users to specify a subject in the request.  
Microsoft is tracking the other publicly disclosed but unexploited flaw as
CVE-2024-49040
(CVSS 7.5), a Windows Exchange Server spoofing flaw. The primary issue lies in how Exchange processes ... headers, enabling attackers to construct emails that falsely appear to be from legitimate sources, Mike Walters, president and co-founder of Action1, wrote in a
blog post
. This capability is particularly useful for spear phishing and other forms of email-based deception.
Nearly 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November update are RCE vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable systems. Some allow for unauthenticated RCE, while others require an attacker to have authenticated access to exploit the bug. Most of the RCEs in Microsofts latest update affect various versions of MS SQL Server. Other impacted technologies include MS Office 2016, MS Defender for iOS, MS Excel 2016, and Windows Server 2012, 2022, and 2025, said Will Bradle, security consultant at NetSPI, in an emailed statement.
Among the most critical of the RCEs, according to Walters, is
CVE-2024-43639
in Windows Kerberos. The bug has a near-maximum CVSS severity score of 9.8 of 10 because, among other things, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as something that attackers are less likely to exploit. But putting it on the back burner for that reason could be a mistake.
Kerberos is a fundamental component of Windows environments, crucial for authenticating user and service identities, Walters added. This vulnerability turns Kerberos into a high-value target, allowing attackers to exploit the truncation flaw to craft messages that Kerberos fails to process securely, potentially enabling the execution of arbitrary code.
Bradle pointed to
CVE-2024-49050
in Visual Studio Code Python Extension as another RCE in this months set that merits priority attention. The extension currently has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS score of 8.8, he said. Microsoft has patched the VSCode extension, and updates should be installed immediately.
Immersive Labs McCarthy also identified multiple other flaws that organizations would do well to address quickly. They include the critical
CVE-2024-43498
(CVSS 9.8), an RCE in .NET and Visual Studio;
CVE-2024-49019
(CVSS 7.8), an Active Directory privilege escalation flaw;
CVE-2024-49033 (CVSS 7.5)
, a Microsoft Word security bypass flaw; and
CVE-2024-43623
(CVSS 7.8), a privilege escalation flaw in the Windows NT OS kernel that enables attacker to gain system level access on affected systems. Importantly, Microsoft has assessed the latter vulnerability as one that attackers are more likely to exploit.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
2 Zero-Day Bugs in Microsofts Nov. Update Under Active Exploit