Microsoft fixes 89 CVEs on penultimate Patch Tuesday of 2024

[Pelican Press 0]

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up

fixes 89 CVEs on penultimate Patch Tuesday of 2024

This is the hidden content, please

• Sign In
• or
• Sign Up

has issued fixes addressing a total of 89 new Common Vulnerabilities and Exposures (CVEs) – 92 including third-party disclosures – to mark the penultimate

This is the hidden content, please

• Sign In
• or
• Sign Up

of 2024, including four critical issues and a number of flaws that could be considered zero-days.

Of these issues, one meets the full traditional definition of a full zero-day, a vulnerability that is both public and known to be exploited. This is

This is the hidden content, please

• Sign In
• or
• Sign Up

, a spoofing vulnerability in New Technology LAN Manager (NTLM) Hash.

NTLM is a set of security protocols used to authenticate users’ identities. It dates back years and has been largely supplanted by vastly more secure protocols –

This is the hidden content, please

• Sign In
• or
• Sign Up

has not recommended its use in over a decade, but since it was used in Internet Explorer, it ******** supported to some extent and continues to cause problems, not least because at this stage, it is incredibly insecure.

In this instance, successful exploitation of this issue could lead to “total loss of confidentiality”, according to

This is the hidden content, please

• Sign In
• or
• Sign Up

, as it discloses a user’s NTLMv2 hash to an attacker who could then use it to authenticate as the user – if the victim can be tricked into minimal interaction with a malicious file, which could include merely selecting or clicking it, not even opening it. This may make it considerably more dangerous than its comparatively low severity score may indicate.

Mike Walters, president and co-founder of

This is the hidden content, please

• Sign In
• or
• Sign Up

, explained: “This issue arises from the mechanism where NTLM authentication credentials, specifically NTLMv2 hashes, are improperly exposed via a maliciously crafted file.

“The root cause of this vulnerability ***** in improperly handling file interactions within systems, potentially allowing attackers to extract NTLMv2 hashes without requiring complete file **********,” he told Computer Weekly in emailed commentary.

All supported versions of

This is the hidden content, please

• Sign In
• or
• Sign Up

Windows are vulnerable to this issue, said Walters, especially if they use applications reliant on MSHTML and EdgeHTML platforms, while risk is further increased across different system environments thanks to the involvement of other scripting engines.

Walters said the main concern with CVE-2024-43451 is the disclosure of NTLMv2 hashes that can be used to authenticate as the user and leveraged in pass-the-hash attacks, enabling further lateral movement for a canny threat actor.

“This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems,” he said.

“Organisations that heavily use Windows in environments with substantial network file sharing or legacy applications dependent on Internet Explorer and related platforms face heightened risk. Those lacking robust user training and monitoring systems to detect unusual file interactions may be more susceptible to exploitation.”

Also on the list is

This is the hidden content, please

• Sign In
• or
• Sign Up

, which is exploited but not yet public. This is an elevation of privilege (EoP) vulnerability in Windows Task Scheduler.

This stems from an issue where authentication tokens or credentials are improperly managed and could allow a low-privileged attacker to gain deeper access if they can ******** a malicious application designed for the purpose. It impacts multiple versions of Windows that incorporate Task Scheduler as part of their routine task automation processes, and it is thought that environments with shared or multiple-user setups may be particularly vulnerable to it.

“This vulnerability serves as a potential entry point for attackers who have already accessed a system with low privilege. Once privileges are escalated, these attackers can utilise this foothold for further lateral movement within a network or to exploit other vulnerabilities that necessitate higher access levels,” said Walters.

“The nature of this vulnerability is especially concerning in corporate settings where individual users possess specific task automation privileges that could be exploited to gain unauthorised access.”

Not yet exploited

Four further vulnerabilities have been made public but as of yet have seen no exploitation, according to

This is the hidden content, please

• Sign In
• or
• Sign Up

, and one of these,

This is the hidden content, please

• Sign In
• or
• Sign Up

, a remote code ********** issue in OpenSSL, is among the three third-party disclosures incorporated into this month’s drop.

The other three are

This is the hidden content, please

• Sign In
• or
• Sign Up

, a remote code ********** (RCE) vulnerability in .NET and Visual Studio,

This is the hidden content, please

• Sign In
• or
• Sign Up

, an EoP vulnerability in Active Directory Certificate Services, and

This is the hidden content, please

• Sign In
• or
• Sign Up

, a spoofing vulnerability in

This is the hidden content, please

• Sign In
• or
• Sign Up

Exchange Server.

Chris Goettl, vice president of security products at

This is the hidden content, please

• Sign In
• or
• Sign Up

, shared further thoughts on both the Active Directory and

This is the hidden content, please

• Sign In
• or
• Sign Up

Exchange Server issues, and urged defenders to treat them as higher priorities than the official guidance might imply.

“[CVE-2024-49019] … is rated Important and has a CVSS v3.1 score of 7.8…. If exploited, the attacker could gain domain administrator privileges. The vulnerability does provide additional mitigations including removing overly broad enrol or auto-enrol permissions, removing unused templates from certificate authorities, and securing templates that allow you to specify the subject in the request,” said Goettl.

“The vulnerability affects Windows Server 2008 and later Server OS editions. From a risk-based perspective, a public disclosure puts this vulnerability at a higher risk of being exploited and may warrant treating the vulnerability as a higher severity.”

Goettl continued: “[CVE-2024-49040] is rated Important and has a CVSS v3.1 score of 7.5…. The vulnerability exists in the P2 From header verification.

This is the hidden content, please

• Sign In
• or
• Sign Up

Exchange Server is often targeted by threat actors who specialise in Exchange exploits. From a risk-based prioritisation perspective, the public disclosure and availably of PoC level exploit code warrants treating this vulnerability as Critical.”  

Finally, three other Critical issues are listed as,

This is the hidden content, please

• Sign In
• or
• Sign Up

, an EoP vulnerability in

This is the hidden content, please

• Sign In
• or
• Sign Up

Windows VMSwitch;

This is the hidden content, please

• Sign In
• or
• Sign Up

, an RCE vulnerability in Windows Kerberos; and

This is the hidden content, please

• Sign In
• or
• Sign Up

, an EoP vulnerability in Airlift.

This is the hidden content, please

• Sign In
• or
• Sign Up

.com. In each of these instances, no proof of concept has yet been made public and no exploitation in the wild has been observed.

This is the hidden content, please

• Sign In
• or
• Sign Up

#

This is the hidden content, please

• Sign In
• or
• Sign Up

#fixes #CVEs #penultimate #Patch #Tuesday

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up