Microsoft’s November Update: Two Zero-Day Bugs Under Active Exploit

November 12, 2024

Microsoft's November 2024 Patch Tuesday update includes a significant number of remote code execution (RCE) vulnerabilities, including a critical issue in Windows Kerberos. The update also reveals two zero-day bugs that are currently under active exploitation. Additionally, two other vulnerabilities have been publicly disclosed but have not yet been exploited. These four zero-day bugs are part of a total of 89 common vulnerabilities and exposures (CVEs) addressed in the November update. Along with the usual collection of privilege elevation, spoofing, security bypass, and denial-of-service vulnerabilities, the update includes a high percentage of RCE vulnerabilities. Microsoft has identified eight of the vulnerabilities as likely to be exploited by attackers.

As part of the November update, Microsoft announced its adoption of the Common Security Advisory Framework (CSAF), a standard for disclosing vulnerabilities in a machine-readable format. This should help organizations accelerate their vulnerability response and remediation processes. Tyler Reguly, associate director of security R&D at Fortra, praised the move, saying, 'This is a huge win for the security community and a welcome addition to Microsoft’s security pages.'

One of the actively exploited zero-day bugs is CVE-2024-43451, a vulnerability that exposes a user's NTLMv2 hash for validating credentials in Windows environments. This allows attackers to authenticate as legitimate users and access applications and data. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Satnam Narang, a senior staff engineer at Tenable, noted, 'To my knowledge, it's the third such vulnerability that can disclose a user's NTLMv2 hash that was exploited in the wild in 2024.' The other two are CVE-2024-21410 in Microsoft Exchange Server from February, and CVE-2024-38021 in Microsoft Office from July.

The second bug under active exploitation is CVE-2024-49039, a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts. The discovery of this flaw by Google's Threat Analysis Group suggests that the attackers currently exploiting the flaw are either a nation-state-backed group or other advanced persistent threat actor.

Two other zero-day vulnerabilities, CVE-2024-49019 and CVE-2024-49040, have been publicly disclosed but not yet exploited. The former is an elevation-of-privilege vulnerability in Active Directory Certificate Services that attackers could use to gain domain administrator access. The latter is a Windows Exchange Server spoofing flaw that could enable attackers to construct emails that falsely appear to be from legitimate sources.

The November update disclosed 52 of 89 bugs as RCE vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable systems. Some allow for unauthenticated RCE, while others require an attacker to have authenticated access to exploit the bug. The most critical RCE, according to Mike Walters, president and co-founder of Action1, is CVE-2024-43639 in Windows Kerberos. The bug has a near-maximum CVSS severity score of 9.8 of 10 because an unauthenticated attacker can exploit it remotely. Walters warned, 'This vulnerability turns Kerberos into a high-value target, allowing attackers to exploit the truncation flaw to craft messages that Kerberos fails to process securely.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.