Cyber security news for all

More

    Microsoft Addresses 90 New Vulnerabilities, Including Actively Exploited NTLM and Task Scheduler Flaws

    On Tuesday, Microsoft disclosed the presence of two critical security vulnerabilities within the Windows NT LAN Manager (NTLM) and Task Scheduler, both of which are reportedly being actively exploited in real-world environments.

    These security lapses are part of a larger batch of 90 vulnerabilities that the tech titan tackled in its November 2024 Patch Tuesday update. Among these, four are classified as Critical, 85 as Important, and one is deemed Moderate in severity. Significantly, 52 of these patched flaws enable remote code execution.

    Beyond these adjustments, Microsoft has also resolved an additional 31 vulnerabilities affecting its Chromium-based Edge browser, introduced after the October 2024 Patch Tuesday update. The two high-priority vulnerabilities currently under exploitation include:

    • CVE-2024-43451 (CVSS score: 6.5) – NTLM Hash Disclosure Spoofing Vulnerability
    • CVE-2024-49039 (CVSS score: 8.8) – Task Scheduler Privilege Elevation Vulnerability

    Microsoft’s advisory concerning CVE-2024-43451 emphasizes that this flaw could inadvertently expose a user’s NTLMv2 hash to a malicious actor, who may then impersonate the user for unauthorized access. This flaw was identified by ClearSky researcher Israel Yeshurun.

    Interestingly, CVE-2024-43451 represents the third notable vulnerability of its kind this year, following CVE-2024-21410 and CVE-2024-38021, which were addressed earlier in February and July. All three facilitate NTLMv2 hash disclosure, underscoring the enduring interest among cyber adversaries in these vulnerabilities for lateral movement within networks.

    On the other hand, CVE-2024-49039 grants an attacker the capability to execute RPC functions typically limited to privileged accounts. However, successful exploitation requires the attacker to use an authenticated application on the target device, first escalating their privileges to a Medium Integrity Level.

    Google’s Threat Analysis Group (TAG) researchers Vlad Stolyarov and Bahare Sabouri, alongside an anonymous researcher, were credited for uncovering this vulnerability. This attribution raises speculation that the exploitation might be tied to nation-state groups or advanced persistent threat (APT) actors.

    Currently, details on the specific methods used to exploit these vulnerabilities or their prevalence remain scarce. Nevertheless, their discovery has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add them to its Known Exploited Vulnerabilities (KEV) catalog.

    Another disclosed vulnerability, CVE-2024-49019 (CVSS score: 7.8), targets Active Directory Certificate Services. Though not yet actively exploited, this privilege escalation flaw could grant domain admin rights. Known as EKUwu, this vulnerability was documented last month by TrustedSec.

    Additionally, CVE-2024-43498 (CVSS score: 9.8), a critical remote code execution flaw within .NET and Visual Studio, enables remote, unauthenticated attackers to compromise .NET web applications or desktop apps by sending a specially crafted file or request.

    Among other fixes, Microsoft has addressed a significant cryptographic protocol vulnerability in Windows Kerberos (CVE-2024-43639, CVSS score: 9.8), which allows unauthenticated attackers to conduct remote code execution.

    The most severe vulnerability in this release is a remote code execution flaw in Azure CycleCloud (CVE-2024-43602, CVSS score: 9.9). Here, attackers with basic user permissions could achieve root-level access by merely sending a request that alters a vulnerable Azure CycleCloud cluster’s configuration.

    Senior researcher Satnam Narang at Tenable commented, “With the increasing shift toward cloud solutions, the attack surface expands, making configurations in platforms like Azure CycleCloud an appealing target for exploitation.”

    Moreover, Microsoft has tackled a remote code execution vulnerability in OpenSSL (CVE-2024-5535, CVSS score: 9.1), initially patched by OpenSSL maintainers in June 2024. Exploiting this flaw would typically require an attacker to lure the victim into clicking a malicious link, often via email or instant messaging.

    In an effort to improve transparency and responsiveness in security disclosures, Microsoft has adopted the Common Security Advisory Framework (CSAF), an OASIS standard designed to automate and streamline vulnerability management across supply chains, including open-source software embedded in its products. Microsoft stated, “CSAF files are meant for computer processing more than human consumption, so we’re adding them as a supplementary channel to enhance transparency throughout our entire supply chain.”

    Microsoft’s November updates highlight the persistent risks tied to cloud migration and the vital importance of swift, automated responses to complex and evolving cybersecurity threats.

    Recent Articles

    Related Stories