close
close

Windows users should update now as Microsoft confirms 4 new Zero-Days

Windows users should update now as Microsoft confirms 4 new Zero-Days

This week, Microsoft confirmed another major discovery of security issues impacting users of its products. Amid the haze that is a report of more than 90 security vulnerabilities in total, there are four zero-day vulnerabilities and two of these, Microsoft confirmed, are being actively exploited by threat actors. Here’s what you need to know and do.

ForbesNew Chrome warning for 3.2 billion Windows, Mac, Linux and Android users

Microsoft confirms Patchy Tuesday of November 2024, complete with four zero-day vulnerabilities

Microsoft has a very Microsoft-centric way of assessing a zero-day threat. While most security professionals agree that the term refers to a vulnerability that has already been exploited by the time the vendor or a security professional discovers it, Microsoft instead uses a definition of a vulnerability that has been publicly disclosed and also of vulnerabilities that are actively attacked. This is why Microsoft has four zero-days in the November 2024 Patch Tuesday security updates released. However, these two are known to be actively exploited at the time of Patch Tuesday’s November 12 reveal. Of these two, one hits both markers of disclosure and being actively attacked.

CVE 2024-43451 is an NT LAN Manager hash disclosure spoofing vulnerability that could expose a critical part of the NTLM authentication protocol to an attacker. “NTLM hashing is a method used to protect passwords by converting them into a fixed-length string of characters, which is then sent for authentication purposes,” said Ryan Braunstein, security operations team leader at Automox. In other words, if the hash is made public, the attacker can potentially identify himself as a user. Although confirmed and actively exploited, Braunstein said the zero-day vulnerability requires user interaction. “Specifically, a user must open a crafted file that an attacker can send via phishing attempts,” Braunstein said.

Meanwhile, CVE 2024-49039 is an elevation of privilege vulnerability in Windows Task Scheduler, which could unsurprisingly allow an attacker to escalate privileges on the targeted Windows system. “This elevation of privilege vulnerability exploits Remote Procedure Call features,” said Henry Smith, a senior security engineer at Automox, “which are essential for executing commands and transferring data between a client and server.” That attacker would first have to gain access to the target system, Smith explained, and then run a malicious application to exploit the vulnerability. “To mitigate this vulnerability, which already contains functional exploit code,” Smith says, “your most effective strategy is patching.”

Two security vulnerabilities in Microsoft score a score of 9.8 on the impact severity scale

The big news, however, should focus on not one, but two security vulnerabilities that reached a huge 9.8 on the impact severity scale, according to Tyler Reguly, associate director for security research and development at Fortra. “While the Common Vulnerability Scoring System is not a risk indicator,” Reguly said, “scores of 9.8 often say quite a lot about where the problem lies.” CVE-2024-43498 is a vulnerability in .NET that could allow an unauthenticated, remote attacker to exploit .NET web apps with malicious requests. “Similarly, CVE-2024-43639 allows an unauthenticated attacker to attack Windows Kerberos to gain code execution,” Reguly warned.

ForbesNSA says restrict Windows and MacOS and use Google to stop attacks

Microsoft Windows users should update now

With the zero-day and four critical vulnerabilities in the mix, the Patch Tuesday security updates affect Microsoft users of Windows OS, Office, SQL Server, Exchange Server, .Net, and Visual Studio. “The Microsoft Windows OS updates should be your top priority this month as they fix both known and exploited vulnerabilities,” said Chris Goettl, vice president of security product management at Ivanti. Microsoft Exchange Server should be a priority for organizations using Exchange Server, Goetti concluded.