Microsoft closed out its Patch Tuesday updates for 2024 with fixes for a complete of 72 safety flaws spanning its software program portfolio, together with one which it mentioned has been exploited within the wild.
Of the 72 flaws, 17 are rated Critical, 54 are rated Important, and one is rated Moderate in severity. Thirty-one of the vulnerabilities are distant code execution flaws, and 27 of them enable for the elevation of privileges.
This is along with 13 vulnerabilities the corporate has addressed in its Chromium-based Edge browser because the launch of final month’s safety replace. In whole, Microsoft has resolved as many as 1,088 vulnerabilities in 2024 alone, per Fortra.
The vulnerability that Microsoft has acknowledged as having been actively exploited is CVE-2024-49138 (CVSS rating: 7.8), a privilege escalation flaw within the Windows Common Log File System (CLFS) Driver.
“An attacker who efficiently exploited this vulnerability might acquire SYSTEM privileges,” the corporate mentioned in an advisory, crediting cybersecurity firm CrowdStrike for locating and reporting the flaw.
It’s value noting that CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). It’s additionally the ninth vulnerability in the identical part to be patched this 12 months.
“Though in-the-wild exploitation particulars aren’t recognized but, trying again on the historical past of CLFS driver vulnerabilities, it’s fascinating to notice that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the previous few years,” Satnam Narang, senior workers analysis engineer at Tenable, advised The Hacker News.
“Unlike superior persistent menace teams that usually give attention to precision and endurance, ransomware operators and associates are centered on the smash and seize ways by any means essential. By utilizing elevation of privilege flaws like this one in CLFS, ransomware associates can transfer by a given community with a purpose to steal and encrypt information and start extorting their victims.”
The proven fact that CLFS has grow to be a pretty assault pathway for malicious actors has not gone unnoticed by Microsoft, which mentioned it is working so as to add a brand new verification step when parsing such log recordsdata.
“Instead of attempting to validate particular person values in logfile information constructions, this safety mitigation offers CLFS the power to detect when log recordsdata have been modified by something aside from the CLFS driver itself,” Microsoft famous in late August 2024. “This has been completed by including Hash-based Message Authentication Codes (HMAC) to the tip of the log file.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) companies to use essential remediations by December 31, 2024.
The bug with the best severity on this month’s launch is a distant code execution flaw impacting Windows Lightweight Directory Access Protocol (LDAP). It’s tracked as CVE-2024-49112 (CVSS rating: 9.8).
“An unauthenticated attacker who efficiently exploited this vulnerability might acquire code execution by a specifically crafted set of LDAP calls to execute arbitrary code inside the context of the LDAP service,” Microsoft mentioned.
Also of observe are three different distant code execution flaws impacting Windows Hyper-V (CVE-2024-49117, CVSS rating: 8.8), Remote Desktop Client (CVE-2024-49105, CVSS rating: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS rating: 8.4).
The improvement comes as 0patch launched unofficial fixes for a Windows zero-day vulnerability that enables attackers to seize NT LAN Manager (NTLM) credentials. Additional particulars in regards to the flaw have been withheld till an official patch turns into obtainable.
“The vulnerability permits an attacker to acquire consumer’s NTLM credentials by merely having the consumer view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder the place such file was beforehand robotically downloaded from attacker’s net web page,” Mitja Kolsek mentioned.
In late October, free unofficial patches have been additionally made obtainable to handle a Windows Themes zero-day vulnerability that enables attackers to steal a goal’s NTLM credentials remotely.
0patch has additionally issued micropatches for one more beforehand unknown vulnerability on Windows Server 2012 and Server 2012 R2 that enables an attacker to bypass Mark-of-the-Web (MotW) protections on sure varieties of recordsdata. The concern is believed to have been launched over two years in the past.
With NTLM coming underneath in depth exploitation by way of relay and pass-the-hash assaults, Microsoft has introduced plans to deprecate the legacy authentication protocol in favor of Kerberos. Furthermore, it has taken the step of enabling Extended Protection for Authentication (EPA) by default for brand new and present installs of Exchange 2019.
Microsoft mentioned it has rolled out an analogous safety enchancment to Azure Directory Certificate Services (AD CS) by enabling EPA by default with the discharge of Windows Server 2025, which additionally removes assist for NTLM v1 and deprecates NTLM v2. These adjustments additionally apply to Windows 11 24H2.
“Additionally, as a part of the identical Windows Server 2025 launch, LDAP now has channel binding enabled by default,” Redmond’s safety workforce mentioned earlier this week. “These safety enhancements mitigate danger of NTLM relaying assaults by default throughout three on-premise companies: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.”
“As we progress in direction of disabling NTLM by default, rapid, short-term adjustments, similar to enabling EPA in Exchange Server, AD CS, and LDAP reinforce a ‘safe by default’ posture and safeguard customers from real-world assaults.”
Software Patches from Other Vendors
Outside Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
