Patch Tuesday has once again brought a wave of updates from Microsoft, addressing a significant total of 89 CVE-listed security vulnerabilities across its product suite. Among these, two flaws are currently under active attack, prompting immediate attention from users and IT departments alike.
Critical Vulnerabilities Unveiled
The first of the exploited vulnerabilities, CVE-2024-49039, presents a serious risk due to an error in the Windows Task Scheduler that allows for privilege escalation. Rated with a CVSS score of 8.8, this flaw can be exploited by a low-privilege AppContainer, enabling unauthorized access to system functions. Henry Smith, a senior security engineer at Automox, elaborated on the threat: “An attacker must first gain access to the system, subsequently running a specifically crafted application to exploit the vulnerability.” This could result in unauthorized execution of privileged RPC functions, potentially allowing the creation of new users or modifications to system settings beyond the attacker’s initial privileges.
The second vulnerability, CVE-2024-43451, relates to a spoofing issue within Microsoft’s NTLM code. This flaw can be exploited to obtain a victim’s NTLMv2 hash, facilitating impersonation of that account. Microsoft notes that minimal interaction with a malicious file—such as a simple click or right-click—could trigger this vulnerability, which is why it has received a moderate CVSS score of 6.5.
For users of Azure CycleCloud, CVE-2024-43602 is a critical concern, boasting a CVSS score of 9.9. This vulnerability allows for remote code execution, where a rogue user could manipulate the configuration of a CycleCloud cluster to gain root privileges. Although Microsoft categorizes this as less likely to be exploited, the potential ramifications are severe.
Another significant vulnerability is CVE-2024-43498, rated at 9.8, which affects .NET and Visual Studio. This flaw could be exploited through malicious requests to a vulnerable .NET web application or by loading a specially crafted file into a susceptible desktop application. Similarly, CVE-2024-43639, also rated at 9.8, presents a complex yet potentially devastating risk. A malicious application could exploit a cryptographic protocol vulnerability in Windows Kerberos, leading to remote code execution.
Best (and the Worst) of the Rest
The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has added the Windows Task Scheduler and NTLMv2 vulnerabilities to its Known Exploited Vulnerabilities Catalog. This catalog also includes flaws in Atlassian Jira server and datacenter products, a decade-old vulnerability in Cisco’s WebVPN login page, and a GeoJSON URL validation issue from 2021 that continues to attract attention from attackers.
On the same day, CISA released its list of the top 15 most exploited vulnerabilities over the past year, highlighting major technology vendors. Citrix vulnerabilities took the lead, claiming the first and second spots, while Cisco followed closely behind in third and fourth. Microsoft made two appearances on this list, underscoring the ongoing challenges in cybersecurity.
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets.
CISA reported a notable increase in the exploitation of zero-day vulnerabilities in 2023, emphasizing that the majority of the most frequently exploited vulnerabilities were initially zero-day exploits. This marks a shift from 2022, where less than half of the top exploited vulnerabilities fell into this category. The agency noted that malicious actors tend to find the most success exploiting vulnerabilities within two years of their public disclosure, but reassured that the utility of these vulnerabilities diminishes over time as systems are patched or replaced.
In addition to Microsoft’s updates, Citrix also joined the patching efforts with fixes for two vulnerabilities in NetScaler ADC and NetScaler Gateway, along with a couple of medium-importance issues in Citrix Session Recording. Meanwhile, Intel released 47 patches across its supported processors, and AMD issued eight security patches. Adobe contributed its usual patch bundle, addressing nearly 50 vulnerabilities across a range of products, including Photoshop, Bridge, and After Effects.
With such a plethora of updates, organizations are encouraged to prioritize their patching efforts to ensure their systems remain secure and resilient against emerging threats.
