Microsoft has rolled out fixes for 89 new security vulnerabilities, with the total rising to 92 when including third-party issues. This Patch Tuesday update features four critical vulnerabilities and multiple flaws suspected to be zero-days.
One critical vulnerability stands out: CVE-2024-43451. This is a spoofing vulnerability in the NTLM Hash, which is used for user authentication. Although NTLM is an older protocol that Microsoft hasn’t recommended for over a decade, it’s still present due to legacy applications. If exploited, this vulnerability could completely compromise user confidentiality. An attacker could capture a user’s NTLMv2 hash simply by tricking them into interacting with a malicious file, which is alarming considering how easy that interaction can be.
Mike Walters from Action1 explained that this vulnerability stems from NTLM authentication credentials being improperly exposed through malicious files. The issue lies in how systems handle file interactions. As a result, attackers can extract NTLMv2 hashes without needing the full execution of the file.
Walters highlighted that all supported versions of Windows are at risk, especially systems using applications based on MSHTML and EdgeHTML. The potential for exploitation is heightened in environments with weak user training or monitoring, particularly where Windows is heavily used for network file sharing or relies on older applications.
Another issue, CVE-2024-49309, is an elevation of privilege vulnerability in Windows Task Scheduler. This flaw arises from poor management of authentication tokens, allowing a low-level attacker to gain higher access through a malicious application. It affects multiple Windows versions that utilize Task Scheduler, posing a significant risk in shared environments where access levels vary.
Four additional vulnerabilities have been disclosed but remain unexploited. One notable issue is CVE-2024-5535, which involves remote code execution in OpenSSL. Alongside that, CVE-2024-43498 affects .NET and Visual Studio, CVE-2024-49019 involves Active Directory Certificate Services, and CVE-2024-49040 impacts Microsoft Exchange Server.
Chris Goettl from Ivanti emphasized that some of these vulnerabilities should be prioritized higher than Microsoft’s official guidelines suggest. For instance, CVE-2024-49019 could allow attackers to gain domain administrator rights, making it essential for organizations to tighten security around enrollment permissions and certificate templates. Similarly, CVE-2024-49040, stemming from a header verification flaw in Microsoft Exchange Server, warrants serious attention due to its popularity among attackers.
Additionally, three other critical vulnerabilities are listed, including CVE-2024-43625 in Windows VMSwitch, CVE-2024-43639 in Windows Kerberos, and CVE-2024-49056 in Airlift.microsoft.com. No proof of concept or exploitation has surfaced for these yet.