Microsoft closed out its Patch Tuesday updates for 2024 with fixes for a complete of 72 safety flaws spanning its software program portfolio, together with one which it stated has been exploited within the wild.
Of the 72 flaws, 17 are rated Crucial, 54 are rated Necessary, and one is rated Reasonable in severity. Thirty-one of the vulnerabilities are distant code execution flaws, and 27 of them enable for the elevation of privileges.
That is along with 13 vulnerabilities the corporate has addressed in its Chromium-based Edge browser for the reason that launch of final month’s safety replace. In complete, Microsoft has resolved as many as 1,088 vulnerabilities in 2024 alone, per Fortra.
The vulnerability that Microsoft has acknowledged as having been actively exploited is CVE-2024-49138 (CVSS rating: 7.8), a privilege escalation flaw within the Home windows Frequent Log File System (CLFS) Driver.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the corporate stated in an advisory, crediting cybersecurity firm CrowdStrike for locating and reporting the flaw.
It is price noting that CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). It is also the ninth vulnerability in the identical element to be patched this 12 months.
“Though in-the-wild exploitation details aren’t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years,” Satnam Narang, senior workers analysis engineer at Tenable, advised The Hacker Information.
“Unlike advanced persistent threat groups that typically focus on precision and patience, ransomware operators and affiliates are focused on the smash and grab tactics by any means necessary. By using elevation of privilege flaws like this one in CLFS, ransomware affiliates can move through a given network in order to steal and encrypt data and begin extorting their victims.”
The truth that CLFS has turn out to be a lovely assault pathway for malicious actors has not gone unnoticed by Microsoft, which stated it is working so as to add a brand new verification step when parsing such log information.
“Instead of trying to validate individual values in logfile data structures, this security mitigation provides CLFS the ability to detect when log files have been modified by anything other than the CLFS driver itself,” Microsoft famous in late August 2024. “This has been accomplished by adding Hash-based Message Authentication Codes (HMAC) to the end of the log file.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has since added the flaw to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) companies to use mandatory remediations by December 31, 2024.
The bug with the best severity on this month’s launch is a distant code execution flaw impacting Home windows Light-weight Listing Entry Protocol (LDAP). It is tracked as CVE-2024-49112 (CVSS rating: 9.8).
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service,” Microsoft stated.
Additionally of be aware are two different distant code execution flaws impacting Home windows Hyper-V (CVE-2024-49117, CVSS rating: 8.8), Distant Desktop Shopper (CVE-2024-49105, CVSS rating: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS rating: 8.4).
The event comes as 0patch launched unofficial fixes for a Home windows zero-day vulnerability that enables attackers to seize NT LAN Supervisor (NTLM) credentials. Further particulars in regards to the flaw have been withheld till an official patch turns into accessible.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” Mitja Kolsek stated.
In late October, free unofficial patches had been additionally made accessible to deal with a Home windows Themes zero-day vulnerability that enables attackers to steal a goal’s NTLM credentials remotely.
0patch has additionally issued micropatches for an additional beforehand unknown vulnerability on Home windows Server 2012 and Server 2012 R2 that enables an attacker to bypass Mark-of-the-Net (MotW) protections on sure sorts of information. The difficulty is believed to have been launched over two years in the past.
With NTLM coming underneath intensive exploitation by way of relay and pass-the-hash assaults, Microsoft has introduced plans to deprecate the legacy authentication protocol in favor of Kerberos. Moreover, it has taken the step of enabling Prolonged Safety for Authentication (EPA) by default for brand new and present installs of Change 2019.
Microsoft stated it has rolled out the same safety enchancment to Azure Listing Certificates Providers (AD CS) by enabling EPA by default with the discharge of Home windows Server 2025, which additionally removes assist for NTLM v1 and deprecates NTLM v2. These adjustments additionally apply to Home windows 11 24H2.
“Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default,” Redmond’s safety crew stated earlier this week. “These security enhancements mitigate risk of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.”
“As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS, and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks.”
Software program Patches from Different Distributors
Exterior Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
