In the latest round of updates, Microsoft has addressed a limited number of critical vulnerabilities, with two notable bugs related to privilege escalation. The first, associated with VMSwitch, poses a significant risk by allowing a low-privileged user on a guest operating system to execute code with SYSTEM privileges on the host OS. This scenario is particularly concerning for system integrity. The second critical bug, found within a cloud service, has already been mitigated, and its details are now being documented for transparency.
Code Execution Vulnerabilities
This month’s updates also include over 50 code execution vulnerabilities, predominantly affecting SQL Server. While these vulnerabilities necessitate a connection to a malicious SQL database, the probability of exploitation remains low. However, one SQL vulnerability, CVE-2024-49043, requires urgent attention. It mandates an update to OLE DB Driver versions 18 or 19 and may also necessitate third-party fixes. Users are advised to review this issue thoroughly and apply all necessary updates.
Additionally, several vulnerabilities within Office components have been identified, although none are linked to the Preview Pane. The Telephony service has revealed six remote code execution (RCE) vulnerabilities, all of which require the target to connect to a malicious server, potentially through user manipulation. Among these, the SMBv3 vulnerability stands out, as it allows an attacker to exploit a malicious SMB client to mount an attack against an affected SMB server, albeit only in SMB over QUIC configurations, which are not widespread.
Another noteworthy vulnerability is a CVSS 9.9 rating found in Azure CycleCloud. This flaw requires basic permissions but could enable an attacker to gain root-level access, allowing command execution on any Azure CycleCloud cluster within the current instance. Furthermore, an RCE vulnerability in TouchGeo, a PyTorch domain library for machine learning, has been identified, although details remain sparse. This vulnerability can be exploited remotely without user interaction.
Microsoft has also issued an update for OpenSSL, which, while not publicly listed, was documented earlier in June. The omission of this information raises questions regarding transparency, especially given its third-party nature.
Privilege Escalation Fixes
The release includes over two dozen fixes for privilege escalation vulnerabilities. Most of these lead to SYSTEM-level code execution or administrative privileges when authenticated users execute specially crafted code. A few vulnerabilities warrant particular attention: the USB Video Class System vulnerabilities require physical access for exploitation, while an escalation in Active Directory Certificates could allow administrative privileges under specific PKI configurations. Additionally, vulnerabilities in Azure Database for PostgreSQL could grant privileges equivalent to the SuperUser role, and the bug in PC Manager could enable file deletion, facilitating privilege elevation.
Notably, the Hyper-V vulnerability could allow guest-to-host code execution at SYSTEM level, prompting a re-evaluation of its CVSS rating from Microsoft, which currently stands at 8.8.
Security Feature Bypass and Other Vulnerabilities
This month’s release also addresses two Security Feature Bypass (SFB) vulnerabilities. One in Word could enable attackers to bypass Office Protected View, while another in Windows Defender Application Control (WDAC) could allow unauthorized applications to run. Furthermore, a single information disclosure vulnerability in the Windows Package Library Manager has been fixed, which could expose privileged user information.
Two spoofing vulnerabilities have also been identified, one in Exchange Server and another in DNS. While Microsoft has not disclosed specific details about the spoofed elements, such vulnerabilities often lead to NTLM relay issues and altered DNS responses, respectively. Exchange administrators should note that additional actions beyond patching are necessary for complete protection.
The update cycle concludes with four denial-of-service (DoS) vulnerabilities, with minimal information provided by Microsoft regarding their impact. The exception is a DoS vulnerability in Hyper-V, which could facilitate cross-VM attacks, allowing one guest VM to affect others on the same hypervisor.
As we look ahead, the final Patch Tuesday of 2024 is scheduled for December 10. Detailed patch analysis will follow, ensuring that organizations remain informed and prepared. In the meantime, vigilance in patch management and system security is paramount for maintaining a robust defense against emerging threats.
