Microsoft Corp. today released software updates to patch at least 139 security holes in various flavors Windows and other Microsoft products. Redmond says attackers are already exploiting at least two vulnerabilities in active attacks on Windows users.
Microsoft’s first zero day this month is CVE-2024-38080, a bug in Windows Hyper-V the part that affects Windows 11 again Windows Server 2022 plans. CVE-2024-38080 allows an attacker to escalate account privileges on a Windows machine. Although Microsoft says the flaw is being exploited, it has provided little information about the exploit.
Another zero-day is CVE-2024-38112, which is a vulnerability MSHTMLMicrosoft’s proprietary engine Internet Explorer web browser. Kevin Breensenior director of threat research at Focused Labssaid exploiting CVE-2024-38112 likely requires the use of an “attack chain” of exploits or program changes on the target host, Microsoft’s explanation: “Successful exploitation of this vulnerability requires an attacker to perform other steps before exploitation. to fix the target area.”
“Despite the lack of information provided in the initial advisory, this risk affects all hosts from the outset Windows Server 2008 R2 going forward, including customers,” said Breen. “Due to active exploitation in the wild this should be prioritized in writing.”
Satnam Narangsenior staff research engineer e It is usablespecial attention was called to CVE-2024-38021, a remote code execution bug Microsoft Office. An attack on this vulnerability would lead to the disclosure of NTLM hashes, which could be used as part of an NTLM relay or “pass the hash” attack, allowing an attacker to impersonate a legitimate user without having to log in.
“One of the more successful attack campaigns from 2023 used CVE-2023-23397, an elevation of privilege bug in Microsoft Outlook that could also leak NTLM horses,” Narang said. “However, CVE-2024-38021 is limited to the fact that the Preview Pane is not an attack vector, meaning that an exploit cannot occur by simply previewing a file.”
A security firm Morphisecwhich is credited with reporting CVE-2024-38021 to Microsoft, said it respectfully disagrees with Microsoft’s severity rating, saying the Office flaw deserves a more “critical” rating given how easy it is for attackers to exploit.
“Their test differentiates between trusted and untrusted senders, noting that while the risk is zero clicks for trusted senders, it requires user interaction with one click for untrusted senders,” Morphisec’s. Michael Gorelik said in a blog post about their availability. “This re-evaluation is important to show the real risk and ensure proper attention and mitigation resources,”
In last month’s Patch Tuesday, Microsoft fixed a bug in its Windows WiFi driver that attackers could use to install malicious software by sending a vulnerable Windows host a specially crafted data packet over the local network. Jason Kikta of Automox says this month’s CVE-2024-38053 – a security vulnerability Windows Layer Two Bridge Network – another “ping-of-death” local network vulnerability that should be a priority for road warriors to catch.
“This requires getting close to the target,” Kikta said. “While that prevents a ransomware actor in Russia, it is something outside of current threat models. This type of exploit works in places like shared office spaces, hotels, convention centers, and anywhere where unknown computers might use a virtual link like you.”
Automox also highlighted three vulnerabilities in the Windows Remote Desktop service that issues Client Access Licenses (CALs) when a client connects to a remote desktop host (CVE-2024-38077, CVE-2024-38074, and CVE-2024-38076). All three bugs were given a CVSS score of 9.8 (out of 10) and indicate that the malicious package may trigger the vulnerability.
Tyler Reguly of Forta noted that today marks the End of Support date SQL Server 2014, the platform according to Shodan still has 110,000 publicly available instances. In addition, more than a quarter of all Microsoft vulnerabilities fixed this month are in SQL Server.
“Most companies don’t update immediately, but this may leave them scrambling to update those environments to supported versions of MS-SQL,” Reguly said.
It’s a good idea for Windows end users to stay current with security updates from Microsoft, which can accumulate quickly otherwise. That doesn’t mean you have to include them on Patch Tuesday. Indeed, waiting a day or three before updating is a reasonable answer, as sometimes updates go wrong and usually within a few days Microsoft has fixed any problems with its patches. It is also wise to back up your data and/or an image of your Windows drive before installing new updates.
For a more detailed description of the bugs Microsoft is talking about today, check out the SANS Internet Storm Center list. For those administrators who are responsible for maintaining large areas of Windows, it often pays to keep an eye on Askwoody.com, which often points out where certain Microsoft updates cause several problems for users.
As always, if you encounter problems using any of these updates, consider leaving a note about it in the comments; chances are someone else reading here has run into the same problem, and maybe has a solution.
Source link