Microsoft is urging Windows users to update their systems immediately after confirming four new zero-day vulnerabilities as part of its November security patch. Among over 90 security issues reported, two of these zero-days are actively being exploited, posing significant risks to users.
Understanding the zero-day vulnerabilities
Microsoft has a unique perspective on what constitutes a zero-day threat, considering both vulnerabilities that are publicly disclosed and those actively under attack. As highlighted in the November 2024 Patch Tuesday release, two out of the four identified vulnerabilities are currently being exploited.
CVE-2024-43451 is particularly notable; it is an NT LAN Manager hash disclosure spoofing vulnerability that could expose the NTLM authentication protocol. According to Ryan Braunstein, team lead of security operations at Automox, the flaw requires user interaction to be exploited. Specifically, users need to open a crafted file sent via phishing attempts for the attack to succeed. When compromised, this vulnerability allows attackers to potentially authenticate as the user due to the disclosure of NTLM hashing, which is intended to protect passwords.
On the other hand, CVE-2024-49039 is a Windows Task Scheduler elevation of privilege vulnerability. Henry Smith, a senior security engineer at Automox, noted that this flaw exploits Remote Procedure Call functions, enabling an attacker to elevate their privileges after gaining initial access to a Windows system. Patching remains the most reliable defense against these vulnerabilities, especially since functional exploit code is already circulating in the wild.
Critical vulnerabilities rated at 9.8 severity
Adding to the alarm, two vulnerabilities have been rated as 9.8 on the Common Vulnerability Scoring System, indicating their potential impact. CVE-2024-43498 affects .NET web applications, allowing unauthenticated remote attackers to exploit the application through malicious requests. Meanwhile, CVE-2024-43639 targets Windows Kerberos, enabling unauthorized attackers to execute code through the same unauthenticated vectors.
The major focus, however, should be directed at two security vulnerabilities rated a critical 9.8 on the impact severity scale, according to Tyler Reguly, associate director for security research and development at Fortra. “While the Common Vulnerability Scoring System is not an indicator of risk,” Reguly said, “scores that are a 9.8 are often pretty telling of where the issue is.”
Given the severity of these vulnerabilities, Microsoft is stressing the importance of applying security updates, particularly for users operating Windows, Office, SQL Server, Exchange Server, .NET, and Visual Studio. Chris Goettl, vice president of security product management at Ivanti, noted that patching should be a priority due to the known and actively exploited nature of these vulnerabilities.
Tracking recent attacks and vulnerabilities
Microsoft’s concerns are reinforced by recent incidents where Russian hackers exploited vulnerabilities in their systems for attacks specifically targeting Ukrainian entities. This highlights the broader implications of these vulnerabilities beyond mere software issues. ClearSky security researchers reported that the NTLM hash disclosure vulnerability (CVE-2024-43451) was being utilized to steal NTLMv2 hashes through phishing schemes, triggering a sequence that allowed attackers to gain remote access to compromised systems.
By using crafted hyperlinks in phishing emails, attackers forced users to interact with malicious files, activating the vulnerability that connects to an attacker-controlled server. This underscores the pressing need for users to remain vigilant and report suspicious communications.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-43451 to its Known Exploited Vulnerabilities Catalog, mandating that organizations secure their vulnerable systems by early December. As CISA stated, such vulnerabilities frequently serve as attack vectors for malicious cyber actors and pose great risks, particularly within federal networks.
Armed with the knowledge of these vulnerabilities, users are urged to act promptly. Microsoft’s November Patch Tuesday is a necessary step to mitigate the risks associated with newly discovered flaws. As hybrid working environments continue to blur the lines of cybersecurity, adhering to best practices and ensuring timely updates can drastically reduce exposure to potential threats.
Featured image credit: Windows/Unsplash
