Introduction

In November 2024 [5], Microsoft’s Patch Tuesday release addressed 90 vulnerabilities, including four critical zero-day vulnerabilities affecting various Microsoft products. These vulnerabilities pose significant security risks, necessitating prompt attention and remediation.

Description

Microsoft’s November 2024 Patch Tuesday release addresses 90 vulnerabilities [3], including four newly confirmed critical zero-day vulnerabilities affecting Windows 11, Active Directory Certificate Services (AD CS) [2], and Exchange Server [2]. Among these [7], CVE-2024-43451 is an NTLM Hash Disclosure Spoofing Vulnerability rated important with a CVSS score of 6.5 [3]. It exposes a user’s NTLMv2 hash in Windows environments [9], allowing remote attackers to authenticate as legitimate users and access sensitive applications and data with minimal user interaction, such as selecting or right-clicking on a malicious file [8]. This vulnerability affects all supported versions of Microsoft Windows since Windows Server 2008 and can be exploited through phishing tactics, leading to the unauthorized disclosure of NTLMv2 hashes [3], which contain authentication credentials [4]. Attackers can then conduct “pass-the-hash” attacks by siphoning off password hashes from memory [6]. Although it primarily targets the deprecated Windows Explorer [1], it can also be exploited in Microsoft Edge’s Windows Explorer mode [1]. The risk is particularly significant for organizations that still rely on NTLM to support legacy applications, especially those with substantial network file sharing. This marks the third NTLM zero-day identified this year [7], underscoring the persistent threat as attackers continue to seek and exploit vulnerabilities for lateral movement within networks.

CVE-2024-49039 is another zero-day vulnerability in the Windows Task Scheduler [1] [3], rated important with a CVSS score of 8.8 [3]. This low-complexity flaw allows authenticated attackers with local access to exploit it by running specially crafted applications, thereby elevating their privileges to a Medium Integrity Level and gaining access to restricted resources, including the ability to execute code via Remote Procedure Call (RPC) functions. This vulnerability also facilitates an AppContainer escape, enabling low-privileged users to execute code at Medium integrity [4]. Discovered by Google’s Threat Analysis Group [2] [4] [7] [9], CVE-2024-49039 has been actively exploited in the wild, attributed to advanced persistent threats (APT) or nation-state actors [1] [4], highlighting the need for organizations to remain vigilant against such threats.

Additionally, CVE-2024-49019 is an elevation of privilege vulnerability in AD CS [2] [3], arising from overly permissive version 1 certificate templates [2]. This flaw enables attackers to request certificates with arbitrary subject names [2], potentially escalating privileges to domain administrator levels [2]. CVE-2024-49040 addresses an issue in Microsoft Exchange Server that could allow email header spoofing [2], facilitating phishing attacks and the delivery of malicious payloads [2]. These vulnerabilities highlight ongoing threats and the importance of applying security updates to protect systems from exploitation [2]. Patching is recommended as the most effective mitigation strategy for all identified vulnerabilities [5].

Conclusion

The vulnerabilities identified in Microsoft’s November 2024 Patch Tuesday release underscore the critical need for organizations to prioritize security updates. The potential for exploitation by advanced persistent threats and nation-state actors highlights the importance of maintaining robust security practices. Organizations must remain vigilant, apply patches promptly, and consider future implications to safeguard their systems against evolving threats.

References

[1] https://redmondmag.com/Articles/2024/11/13/November-Security-Patch-24.aspx
[2] https://winbuzzer.com/2024/11/12/microsofts-november-2024-patch-tuesday-fixes-four-zero-days-in-windows-11-ad-cs-and-exchange-server-xcxwbn/
[3] https://www.tenable.com/blog/microsofts-november-2024-patch-tuesday-addresses-87-cves-cve-2024-43451-cve-2024-49039
[4] https://www.helpnetsecurity.com/2024/11/12/cve-2024-43451-cve-2024-49039/
[5] https://www.forbes.com/sites/daveywinder/2024/11/13/windows-users-must-update-now-as-microsoft-confirms-4-new-zero-days/
[6] https://www.csoonline.com/article/3604591/november-2024-patch-tuesday-patches-four-zero-days-and-three-critical-flaws.html
[7] https://krebsonsecurity.com/2024/11/microsoft-patch-tuesday-november-2024-edition/
[8] https://cybersecuritynews.com/microsoft-november-patch-tuesday/
[9] https://www.darkreading.com/cloud-security/2-zero-day-bugs-microsoft-nov-update-active-exploit