This week, Microsoft confirmed a significant discovery of security vulnerabilities affecting users of its products. In the latest Patch Tuesday update, Microsoft addressed over 90 security issues, including four zero-day vulnerabilities. Of these, two are actively being exploited by threat actors. Here’s what you need to know.
Microsoft’s Definition of Zero-Day Vulnerabilities
Microsoft has a unique way of defining zero-day threats. While most security professionals define a zero-day as a vulnerability that has been exploited before it is publicly discovered, Microsoft includes both publicly disclosed vulnerabilities and those under active attack. For the November 2024 Patch Tuesday, Microsoft listed four zero-day vulnerabilities, with two of them confirmed to be actively exploited at the time of the disclosure on November 12. Notably, one of these vulnerabilities has both been publicly disclosed and is under active attack.
Details on the Active Zero-Day Vulnerabilities
- CVE-2024-43451: NT LAN Manager Hash Disclosure Vulnerability
- This vulnerability allows an attacker to expose part of the NTLM authentication protocol, potentially enabling them to authenticate as the user.
- Ryan Braunstein, Security Operations Team Lead at Automox, explained that the vulnerability requires user interaction, such as opening a specially crafted file through phishing attempts.
- This vulnerability is confirmed to be under active exploitation.
- CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability
- This vulnerability could allow an attacker to elevate their privileges on a targeted Windows system by exploiting Remote Procedure Call (RPC) functions.
- Henry Smith, Senior Security Engineer at Automox, stated that the attacker would need to first gain access to the system and then run a malicious application to exploit this vulnerability. Patching is the most effective strategy, as functional exploit code is already available.
Two High-Severity Vulnerabilities Rated 9.8 on the Impact Scale
Two vulnerabilities in the November Patch Tuesday release have been rated 9.8 on the Common Vulnerability Scoring System (CVSS) impact severity scale, indicating their critical nature:
- CVE-2024-43498: .NET Vulnerability
- This flaw allows an unauthenticated, remote attacker to exploit .NET web applications with malicious requests, posing a severe risk.
- CVE-2024-43639: Windows Kerberos Vulnerability
- This vulnerability allows an unauthenticated attacker to target Windows Kerberos, potentially gaining code execution on the affected system.
Tyler Reguly, Associate Director of Security Research and Development at Fortra, emphasized that while CVSS scores don’t indicate risk directly, a score of 9.8 is typically indicative of a serious security issue.
Urgent Updates for Microsoft Users
The Patch Tuesday updates address critical vulnerabilities across several Microsoft products, including the Windows OS, Office, SQL Server, Exchange Server, .NET, and Visual Studio. Chris Goettl, Vice President of Security Product Management at Ivanti, advises that Microsoft Windows OS updates should be the top priority for users, as they resolve both known and actively exploited vulnerabilities. Additionally, organizations running Microsoft Exchange Server should prioritize updating those systems as well.
