2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

Source: Rix Pix Photography via Shutterstock

Attackers are already actively exploiting two vulnerabilities for which Microsoft issued patches on Nov. 12 as part of its monthly security update. And they could soon begin targeting two other publicly disclosed, but as yet unexploited, flaws.

The four zero-day bugs are among a set of 89 common vulnerabilities and exposures (CVEs) that Microsoft addressed in November’s Patch Tuesday. The batch contains a substantially high percentage of remote code execution (RCE) vulnerabilities, in addition to the usual collection of elevation of privileges flaws, spoofing vulnerabilities, security bypass, denial-of-service issues, and other vulnerability classes. Microsoft identified eight of the flaws as issues that attackers are more likely to exploit, though researchers pointed to other flaws as well that are of likely of high interest to adversaries.

Microsoft Adopts CSAF Standard

Along with the November security update, Microsoft also announced its adoption of Common Security Advisory Framework (CSAF), an OASIS standard for disclosing vulnerabilities in machine-readable form. “CSAF files are meant to be consumed by computers more so than by humans,” Microsoft said in a blog post. It should help organizations accelerate their vulnerability response and remediation processes, the company noted.

“This is a huge win for the security community and a welcome addition to Microsoft’s security pages,” said Tyler Reguly, associate director of security R&D at Fortra, via email. “This is a standard that has been adopted by many software vendors and it is great to see that Microsoft is following suit.”

Zero-Day Bugs Under Active Exploit

One of the zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a user’s NTLMv2 hash for validating credentials in Windows environments. The hashes allow attackers to authenticate as legitimate users, and access applications and data to which they have permissions. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Merely selecting or inspecting a file could trigger the vulnerability, Microsoft warned.

______________________________

Don’t miss the upcoming free Dark Reading Virtual Event, “Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors,” Nov. 14 at 11 a.m. ET. Don’t miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

______________________________

“To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024,” Satnam Narang, senior staff engineer at Tenable, wrote in an emailed comment. The other two are CVE-2024-21410 in Microsoft Exchange Server from February, and CVE-2024-38021 in Microsoft Office from July.

“One thing is certain,” according to Narang. “Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes.”

The second bug under active exploit in Microsoft’s latest update is CVE-2024-49039 (CVSS 8.8), a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts.

“In this case, a successful attack could be performed from a low privilege AppContainer,” Microsoft said. “The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”

The fact that it was Google’s Threat Analysis Group that discovered and reported this flaw to Microsoft suggests that the attackers currently exploiting the flaw are either a nation-state-backed group or other advanced persistent threat actor, Narang said.

“An attacker can perform this exploit as a low-privileged AppContainer and effectively execute RPCs that should be available only to privileged tasks,” added Ben McCarthy, lead cybersecurity engineer at Immersive Labs, via email. “It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability.”

Previously Disclosed but Unexploited Zero-Days

One of the two already disclosed — but not yet exploited — zero-days is CVE-2024-49019 (CVSS 7.8), an elevation-of-privilege vulnerability in Active Directory Certificate Services that attackers could use to gain domain administrator access. Microsoft’s advisory listed several recommendations for organizations to secure certificate templates, including removing overly broad enrollment rights for users or groups, removing unused templates, and implementing additional measures to secure templates that allow users to specify a subject in the request.

Microsoft is tracking the other publicly disclosed but unexploited flaw as CVE-2024-49040 (CVSS 7.5), a Windows Exchange Server spoofing flaw. “The primary issue lies in how Exchange processes … headers, enabling attackers to construct emails that falsely appear to be from legitimate sources,” Mike Walters, president and co-founder of Action1, wrote in a blog post. “This capability is particularly useful for spear phishing and other forms of email-based deception.”

RCE Security Bugs Have a Big Month

Nearly 60% of the bugs — 52 of 89 — that Microsoft disclosed in its November update are RCE vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable systems. Some allow for unauthenticated RCE, while others require an attacker to have authenticated access to exploit the bug. Most of the RCEs in Microsoft’s latest update affect various versions of MS SQL Server. Other impacted technologies include MS Office 2016, MS Defender for iOS, MS Excel 2016, and Windows Server 2012, 2022, and 2025, said Will Bradle, security consultant at NetSPI, in an emailed statement.

Among the most critical of the RCEs, according to Walters, is CVE-2024-43639 in Windows Kerberos. The bug has a near-maximum CVSS severity score of 9.8 of 10 because, among other things, an unauthenticated attacker can exploit it remotely. Microsoft itself has assessed the bug as something that attackers are less likely to exploit. But putting it on the back burner for that reason could be a mistake.

“Kerberos is a fundamental component of Windows environments, crucial for authenticating user and service identities,” Walters added. “This vulnerability turns Kerberos into a high-value target, allowing attackers to exploit the truncation flaw to craft messages that Kerberos fails to process securely, potentially enabling the execution of arbitrary code.”

Bradle pointed to CVE-2024-49050 in Visual Studio Code Python Extension as another RCE in this month’s set that merits priority attention. “The extension currently has over 139 million downloads and is affected by an RCE vulnerability with a base CVSS score of 8.8,” he said. “Microsoft has patched the VSCode extension, and updates should be installed immediately.”

Immersive Labs’ McCarthy also identified multiple other flaws that organizations would do well to address quickly. They include the critical CVE-2024-43498 (CVSS 9.8), an RCE in .NET and Visual Studio; CVE-2024-49019 (CVSS 7.8), an Active Directory privilege escalation flaw; CVE-2024-49033 (CVSS 7.5), a Microsoft Word security bypass flaw; and CVE-2024-43623 (CVSS 7.8), a privilege escalation flaw in the Windows NT OS kernel that enables attacker to gain system level access on affected systems. Importantly, Microsoft has assessed the latter vulnerability as one that attackers are more likely to exploit.

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.