This week, Microsoft has unveiled a significant array of security vulnerabilities that could affect a wide range of its users. In a comprehensive report detailing over 90 security issues, the spotlight falls on four zero-day vulnerabilities, two of which are currently being exploited by malicious actors. Here’s a closer look at these critical findings and the necessary actions to take.
Microsoft Confirms November 2024 Patchy Tuesday Complete With Four Zero-Day Vulnerabilities
Microsoft adopts a unique approach to defining zero-day threats. While many security experts agree that a zero-day refers to a vulnerability that has been exploited before it is discovered, Microsoft includes both publicly disclosed vulnerabilities and those under active attack in its definition. This week’s November 2024 Patch Tuesday security updates include four zero-day vulnerabilities, with two confirmed to be actively exploited at the time of the disclosure on November 12. Notably, one of these vulnerabilities meets both criteria of being publicly disclosed and under attack.
CVE 2024-43451 is a spoofing vulnerability related to NT LAN Manager hash disclosure, which can expose a critical component of the NTLM authentication protocol. Ryan Braunstein, team lead of security operations at Automox, explains, “NTLM hashing is a method used to protect passwords by converting them into a fixed-length string of characters, which is then transmitted for authentication purposes.” If this hash is disclosed, attackers could potentially authenticate as the user. However, Braunstein notes that this zero-day vulnerability necessitates user interaction, specifically requiring a user to open a crafted file sent via phishing attempts.
On the other hand, CVE 2024-49039 pertains to a Windows Task Scheduler elevation of privilege vulnerability. This flaw could enable an attacker to elevate their privileges on the targeted Windows system. Henry Smith, a senior security engineer at Automox, elaborates that this vulnerability exploits Remote Procedure Call functions, which are crucial for executing commands and transferring data between a client and server. An attacker must first gain access to the target system and then run a malicious application to exploit this vulnerability. Smith emphasizes that patching is the most effective strategy to mitigate this risk, especially since functional exploit code is already available.
Two Microsoft Security Vulnerabilities Rate As 9.8 On The Impact Severity Scale
Among the vulnerabilities, two stand out with a staggering impact severity score of 9.8, as noted by Tyler Reguly, associate director for security research and development at Fortra. “While the Common Vulnerability Scoring System is not an absolute indicator of risk,” Reguly states, “scores that are a 9.8 are often pretty telling of where the issue lies.” The first, CVE-2024-43498, is a vulnerability in .NET that allows unauthenticated remote attackers to exploit .NET web applications through malicious requests. Similarly, CVE-2024-43639 enables an unauthenticated attacker to target Windows Kerberos to gain code execution, raising significant alarms for users and organizations alike.
Microsoft Windows Users Should Update Now
Given the presence of these zero-days and four critical-rated vulnerabilities, the recent Patch Tuesday security updates are crucial for Microsoft users across various platforms, including Windows OS, Office, SQL Server, Exchange Server, .NET, and Visual Studio. Chris Goettl, vice president of security product management at Ivanti, advises, “The Microsoft Windows OS updates should be your top priority this month as they resolve both known and exploited vulnerabilities.” He further emphasizes that organizations running Microsoft Exchange Server should also prioritize these updates to safeguard their systems effectively.
