It’s been another busy Patch Tuesday for system administrators, with Microsoft releasing updates for nearly 100 vulnerabilities, four of which are classed as zero-days.
Microsoft classifies a zero-day flaw as a CVE that has been publicly disclosed or actively exploited before a patch is available.
CVE-2024-43451 is an NTLM hash disclosure spoofing vulnerability with a CVSS score of 6.5 which affects all supported versions of Microsoft Windows. It has been both publicly disclosed and exploited.
“This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems,” explained Action1 president, Mike Walter.
“Organizations that heavily use Windows in environments with substantial network file sharing or legacy applications dependent on Internet Explorer and related platforms face heightened risk. Those lacking robust user training and monitoring systems to detect unusual file interactions may be more susceptible to exploitation.”
Read more on Patch Tuesday: Microsoft Fixes Five Zero-Days in October Patch Tuesday
The second actively exploited zero-day is CVE-2024-49039, a low-complexity Windows Task Scheduler elevation of privilege (EoP) bug with a CVSS score of 8.8.
The vulnerability could be exploited by attackers who have already entered a target system with low privileges, and who want to escalate these for lateral movement or to exploit other bugs.
“Organizations utilizing Windows systems, especially those with multiple user accounts or environments that permit scheduled tasks, could be at increased risk,” said Walters. “The nature of this vulnerability is especially concerning in corporate settings where individual users possess specific task automation privileges that could be exploited to gain unauthorized access.”
The other two zero-days fixed by Microsoft yesterday include CVE-2024-49019, an EoP flaw in Active Directory Certificate Services, which enables an adversary to acquire domain administrator privileges en route to sensitive data and systems. It has a CVSS score of 7.8.
The final zero-day is CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server with a CVSS score of 7.5 which could enable attackers to spoof sender email addresses in phishing campaigns.
Walters warned that the low-complexity bug requires no privileges or user interaction, meaning there is a significant risk of it being exploited if not addressed.