Microsoft has closed its Patch Tuesday updates for 2024 with fixes for a a total of 72 security flaws covers his software portfolio, including one he says has been used in the wild.
Of the 72 deficiencies, 17 are rated critical, 54 are important, and one is of moderate severity. Thirty-one of the vulnerabilities are remote code execution flaws, and 27 of them allow elevation of privilege.
This is in addition to 13 weaknesses the company has addressed in its Chromium-based Edge browser since its release last month’s security update. In total, Microsoft patched 1,088 vulnerabilities in 2024 on Fortra alone.
A vulnerability that Microsoft has identified as an active exploit CVE-2024-49138 (CVSS Score: 7.8), lack of privilege in the Windows Common Logging File System (CLFS) driver.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company said in an advisory, crediting cybersecurity firm CrowdStrike for discovering and reporting the flaw.
It should be noted that CVE-2024-49138 appears the fifth was actively exploited CLFS elevation of privilege bug since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). This is also the ninth vulnerability in the same component to be patched this year.
“While details of exploitation in the wild are still unknown, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS privilege escalation flaws over the past few years,” Satnam Narang, Senior Engineer -researcher at Tenable, told The Hacker News.
“Unlike advanced persistent threat groups, which typically focus on precision and patience, ransomware operators and their affiliates focus on smash-and-grab tactics by any means necessary. By exploiting privilege escalation flaws like this one in CLFS, ransomware affiliates can travel across a given network to steal and encrypt data and begin extorting their victims.”
The fact that CLFS has become an attractive attack path for attackers has not gone unnoticed by Microsoft, which has said it is working to add a new validation step when analyzing such log files.
“Rather than trying to check individual values in log file data structures, this security mitigation gives CLFS the ability to detect when log files have been modified by something other than the CLFS driver itself,” Microsoft. noted at the end of August 2024. “This was achieved by adding hash-based message authentication codes (HMAC) to the end of the log file.”
Since then, the US Cybersecurity and Infrastructure Security Agency (CISA). added flaw in its known vulnerabilities (KEV) directory requiring Federal Civil Executive Branch (FCEB) agencies to implement required corrective action by December 31, 2024.
The most serious bug in this month’s release is a remote code execution flaw that affects Windows Lightweight Directory Access Protocol (LDAP). This is tracked as CVE-2024-49112 (CVSS Score: 9.8).
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution via a specially crafted set of LDAP calls to execute arbitrary code in the context of the LDAP service,” Microsoft said.
Also worth noting are two other remote code execution vulnerabilities that affect Windows Hyper-V (CVE-2024-49117CVSS score: 8.8), Remote Desktop Client (CVE-2024-49105CVSS score: 8.4) and Microsoft musician (CVE-2024-49063CVSS score: 8.4).
The development comes after 0patch released unofficial fixes for a Windows zero-day vulnerability that allows attackers to hijack NT LAN Manager (NTLM) credentials. No further details about the flaw will be released until an official patch is available.
“The vulnerability allows an attacker to obtain NTLM user credentials simply by asking the user to view a malicious file in Windows Explorer, such as by opening a shared folder or USB drive containing the file, or by viewing the Downloads folder where the file was previously automatically downloaded. from the attacker’s web page,” — Mitya Kolsek said.
There were also free unofficial patches at the end of October are available to address a Windows Themes zero-day vulnerability that allows attackers to remotely steal a target’s NTLM credentials.
0patch has too micropatches issued another previously unknown vulnerability in Windows Server 2012 and Server 2012 R2 that allows an attacker to bypass Mark-of-the-Web (MotW) protections for certain file types. The question is believed to have been introduced more than two years ago.
With NTLM being widely exploited through relay and hash transfer attacksMicrosoft has announced its plans to condemn legacy authentication protocol in favor of Kerberos. Also, he made a move which allow Advanced Protection for Authentication (EPA) is the default for new and existing Exchange 2019 installations.
Microsoft said it rolled out a similar security improvement to Azure Directory Certificate Services (AD CS), enabling EPA by default with the Windows Server 2025 release, which also removes support for NTLM v1 and deprecates NTLM v2. These changes also apply to Windows 11 24H2.
“In addition to being part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default,” the Redmond security team said. said earlier this week. “These security improvements reduce the risk of default NTLM relay attacks on three on-premises services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.”
“As we move toward disabling NTLM by default, immediate short-term changes such as enabling EPA in Exchange Server, AD CS, and LDAP reinforce the ‘secure-by-default’ posture and protect users from real-world attacks.”
Third-party software patches
Outside of Microsoft, other vendors have also released security updates to address several vulnerabilities over the past few weeks, including –
