Microsoft closed out its Patch Tuesday updates for 2024 with fixes for a complete of 72 security flaws spanning its software program portfolio, together with one which it mentioned has been exploited within the wild.
Of the 72 flaws, 17 are rated Vital, 54 are rated Vital, and one is rated Average in severity. Thirty-one of the vulnerabilities are distant code execution flaws, and 27 of them enable for the elevation of privileges.
That is along with 13 vulnerabilities the corporate has addressed in its Chromium-based Edge browser for the reason that launch of final month’s security replace. In complete, Microsoft has resolved as many as 1,088 vulnerabilities in 2024 alone, per Fortra.
The vulnerability that Microsoft has acknowledged as having been actively exploited is CVE-2024-49138 (CVSS rating: 7.8), a privilege escalation flaw within the Home windows Frequent Log File System (CLFS) Driver.
“An attacker who efficiently exploited this vulnerability might acquire SYSTEM privileges,” the corporate mentioned in an advisory, crediting cybersecurity firm CrowdStrike for locating and reporting the flaw.
It is value noting that CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). It is also the ninth vulnerability in the identical part to be patched this 12 months.
“Although in-the-wild exploitation particulars aren’t recognized but, wanting again on the historical past of CLFS driver vulnerabilities, it’s attention-grabbing to notice that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the previous few years,” Satnam Narang, senior workers analysis engineer at Tenable, advised The Hacker Information.
“In contrast to superior persistent menace teams that usually concentrate on precision and persistence, ransomware operators and associates are centered on the smash and seize techniques by any means needed. By utilizing elevation of privilege flaws like this one in CLFS, ransomware associates can transfer by way of a given community to be able to steal and encrypt knowledge and start extorting their victims.”
The truth that CLFS has develop into a sexy assault pathway for malicious actors has not gone unnoticed by Microsoft, which mentioned it is working so as to add a brand new verification step when parsing such log recordsdata.
“As a substitute of making an attempt to validate particular person values in logfile knowledge constructions, this security mitigation supplies CLFS the flexibility to detect when log recordsdata have been modified by something aside from the CLFS driver itself,” Microsoft famous in late August 2024. “This has been completed by including Hash-based Message Authentication Codes (HMAC) to the tip of the log file.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has since added the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) businesses to use needed remediations by December 31, 2024.
The bug with the very best severity on this month’s launch is a distant code execution flaw impacting Home windows Light-weight Listing Entry Protocol (LDAP). It is tracked as CVE-2024-49112 (CVSS rating: 9.8).
“An unauthenticated attacker who efficiently exploited this vulnerability might acquire code execution by way of a specifically crafted set of LDAP calls to execute arbitrary code throughout the context of the LDAP service,” Microsoft mentioned.
Additionally of observe are two different distant code execution flaws impacting Home windows Hyper-V (CVE-2024-49117, CVSS rating: 8.8), Distant Desktop Consumer (CVE-2024-49105, CVSS rating: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS rating: 8.4).
The event comes as 0patch launched unofficial fixes for a Home windows zero-day vulnerability that enables attackers to seize NT LAN Supervisor (NTLM) credentials. Further particulars in regards to the flaw have been withheld till an official patch turns into obtainable.
“The vulnerability permits an attacker to acquire person’s NTLM credentials by merely having the person view a malicious file in Home windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder the place such file was beforehand mechanically downloaded from attacker’s internet web page,” Mitja Kolsek mentioned.
In late October, free unofficial patches had been additionally made obtainable to handle a Home windows Themes zero-day vulnerability that enables attackers to steal a goal’s NTLM credentials remotely.
0patch has additionally issued micropatches for one more beforehand unknown vulnerability on Home windows Server 2012 and Server 2012 R2 that enables an attacker to bypass Mark-of-the-Net (MotW) protections on sure varieties of recordsdata. The problem is believed to have been launched over two years in the past.
With NTLM coming below in depth exploitation through relay and pass-the-hash assaults, Microsoft has introduced plans to deprecate the legacy authentication protocol in favor of Kerberos. Moreover, it has taken the step of enabling Prolonged Safety for Authentication (EPA) by default for brand spanking new and present installs of Trade 2019.
Microsoft mentioned it has rolled out the same security enchancment to Azure Listing Certificates Providers (AD CS) by enabling EPA by default with the discharge of Home windows Server 2025, which additionally removes assist for NTLM v1 and deprecates NTLM v2. These modifications additionally apply to Home windows 11 24H2.
“Moreover, as a part of the identical Home windows Server 2025 launch, LDAP now has channel binding enabled by default,” Redmond’s security group mentioned earlier this week. “These security enhancements mitigate danger of NTLM relaying assaults by default throughout three on-premise companies: Trade Server, Energetic Listing Certificates Providers (AD CS), and LDAP.”
“As we progress in direction of disabling NTLM by default, quick, short-term modifications, similar to enabling EPA in Trade Server, AD CS, and LDAP reinforce a ‘safe by default’ posture and safeguard customers from real-world assaults.”
Software program Patches from Different Distributors
Exterior Microsoft, security updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
