Microsoft closed out its Patch Tuesday updates for 2024 with fixes for a whole of 72 safety flaws spanning its software program portfolio, together with one which it stated has been exploited within the wild.
Of the 72 flaws, 17 are rated Vital, 54 are rated Necessary, and one is rated Average in severity. Thirty-one of the vulnerabilities are distant code execution flaws, and 27 of them permit for the elevation of privileges.
That is along with 13 vulnerabilities the corporate has addressed in its Chromium-based Edge browser for the reason that launch of final month’s safety replace. In whole, Microsoft has resolved as many as 1088 vulnerabilities in 2024 alone, per Fortra.
The vulnerability that Microsoft has acknowledged as having been actively exploited is CVE-2024-49138 (CVSS rating: 7.8), a privilege escalation flaw within the Home windows Frequent Log File System (CLFS) Driver.
“An attacker who efficiently exploited this vulnerability might achieve SYSTEM privileges,” the corporate stated in an advisory, crediting cybersecurity firm CrowdStrike for locating and reporting the flaw.
It is value noting that CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). It is also the ninth vulnerability in the identical part to be patched this 12 months.
“Although in-the-wild exploitation particulars aren’t recognized but, trying again on the historical past of CLFS driver vulnerabilities, it’s fascinating to notice that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the previous few years,” Satnam Narang, senior employees analysis engineer at Tenable, informed The Hacker Information.
“In contrast to superior persistent menace teams that usually give attention to precision and endurance, ransomware operators and associates are centered on the smash and seize techniques by any means needed. Through the use of elevation of privilege flaws like this one in CLFS, ransomware associates can transfer by way of a given community as a way to steal and encrypt knowledge and start extorting their victims.”
The truth that CLFS has turn into a beautiful assault pathway for malicious actors has not gone unnoticed by Microsoft, which stated it is working so as to add a brand new verification step when parsing such log recordsdata.
“As an alternative of making an attempt to validate particular person values in logfile knowledge constructions, this safety mitigation gives CLFS the flexibility to detect when log recordsdata have been modified by something apart from the CLFS driver itself,” Microsoft famous in late August 2024. “This has been completed by including Hash-based Message Authentication Codes (HMAC) to the top of the log file.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has since added the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) businesses to use needed remediations by December 31, 2024.
The bug with the very best severity on this month’s launch is a distant code execution flaw impacting Home windows Light-weight Listing Entry Protocol (LDAP). It is tracked as CVE-2024-49112 (CVSS rating: 9.8).
“An unauthenticated attacker who efficiently exploited this vulnerability might achieve code execution by way of a specifically crafted set of LDAP calls to execute arbitrary code throughout the context of the LDAP service,” Microsoft stated.
Additionally of be aware are two different distant code execution flaws impacting Home windows Hyper-V (CVE-2024-49117, CVSS rating: 8.8), Distant Desktop Consumer (CVE-2024-49105, CVSS rating: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS rating: 8.4).
The event comes as 0patch launched unofficial fixes for a Home windows zero-day vulnerability that permits attackers to seize NT LAN Supervisor (NTLM) credentials. Further particulars in regards to the flaw have been withheld till an official patch turns into out there.
“The vulnerability permits an attacker to acquire person’s NTLM credentials by merely having the person view a malicious file in Home windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder the place such file was beforehand routinely downloaded from attacker’s internet web page,” Mitja Kolsek stated.
In late October, free unofficial patches had been additionally made out there to deal with a Home windows Themes zero-day vulnerability that permits attackers to steal a goal’s NTLM credentials remotely.
0patch has additionally issued micropatches for one more beforehand unknown vulnerability on Home windows Server 2012 and Server 2012 R2 that permits an attacker to bypass Mark-of-the-Net (MotW) protections on sure forms of recordsdata. The problem is believed to have been launched over two years in the past.
With NTLM coming beneath intensive exploitation by way of relay and pass-the-hash assaults, Microsoft has introduced plans to deprecate the legacy authentication protocol in favor of Kerberos. Moreover, it has taken the step of enabling Prolonged Safety for Authentication (EPA) by default for brand new and current installs of Trade 2019.
Microsoft stated it has rolled out an identical safety enchancment to Azure Listing Certificates Providers (AD CS) by enabling EPA by default with the discharge of Home windows Server 2025, which additionally removes help for NTLM v1 and deprecates NTLM v2. These adjustments additionally apply to Home windows 11 24H2.
“Moreover, as a part of the identical Home windows Server 2025 launch, LDAP now has channel binding enabled by default,” Redmond’s safety staff stated earlier this week. “These safety enhancements mitigate threat of NTLM relaying assaults by default throughout three on-premise companies: Trade Server, Energetic Listing Certificates Providers (AD CS), and LDAP.”
“As we progress in the direction of disabling NTLM by default, quick, short-term adjustments, corresponding to enabling EPA in Trade Server, AD CS, and LDAP reinforce a ‘safe by default’ posture and safeguard customers from real-world assaults.”
Software program Patches from Different Distributors
Exterior Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
