Microsoft Corp. immediately pushed software program updates to plug greater than 70 safety holes in its Home windows working techniques and associated merchandise, together with two zero-day vulnerabilities which are already being exploited in lively assaults.
High of the heap on this Fats Patch Tuesday is CVE-2024-21412, a “safety characteristic bypass” in the best way Home windows handles Web Shortcut Recordsdata that Microsoft says is being focused in lively exploits. Redmond’s advisory for this bug says an attacker would want to persuade or trick a person into opening a malicious shortcut file.
Researchers at Trend Micro have tied the continuing exploitation of CVE-2024-21412 to a complicated persistent risk group dubbed “Water Hydra,” which they are saying has being utilizing the vulnerability to execute a malicious Microsoft Installer File (.msi) that in flip unloads a distant entry trojan (RAT) onto contaminated Home windows techniques.
The opposite zero-day flaw is CVE-2024-21351, one other safety characteristic bypass — this one within the built-in Home windows SmartScreen part that tries to display screen out doubtlessly malicious information downloaded from the Net. Kevin Breen at Immersive Labs says it’s essential to notice that this vulnerability alone just isn’t sufficient for an attacker to compromise a person’s workstation, and as a substitute would probably be used together with one thing like a spear phishing assault that delivers a malicious file.
Satnam Narang, senior employees analysis engineer at Tenable, stated that is the fifth vulnerability in Home windows SmartScreen patched since 2022 and all 5 have been exploited within the wild as zero-days. They embody CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.
Narang known as particular consideration to CVE-2024-21410, an “elevation of privilege” bug in Microsoft Alternate Server that Microsoft says is prone to be exploited by attackers. Assaults on this flaw would result in the disclosure of NTLM hashes, which may very well be leveraged as a part of an NTLM relay or “cross the hash” assault, which lets an attacker masquerade as a reputable person with out ever having to log in.
“We all know that flaws that may disclose delicate info like NTLM hashes are very beneficial to attackers,” Narang stated. “A Russian-based risk actor leveraged the same vulnerability to hold out assaults – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.”
Microsoft notes that previous to its Alternate Server 2019 Cumulative Replace 14 (CU14), a safety characteristic known as Prolonged Safety for Authentication (EPA), which offers NTLM credential relay protections, was not enabled by default.
“Going ahead, CU14 permits this by default on Alternate servers, which is why you will need to improve,” Narang stated.
Rapid7’s lead software program engineer Adam Barnett highlighted CVE-2024-21413, a important distant code execution bug in Microsoft Workplace that may very well be exploited simply by viewing a specially-crafted message within the Outlook Preview pane.
“Microsoft Workplace usually shields customers from quite a lot of assaults by opening information with Mark of the Net in Protected View, which implies Workplace will render the doc with out fetching doubtlessly malicious exterior sources,” Barnett stated. “CVE-2024-21413 is a important RCE vulnerability in Workplace which permits an attacker to trigger a file to open in modifying mode as if the person had agreed to belief the file.”
Barnett pressured that directors accountable for Workplace 2016 installations who apply patches outdoors of Microsoft Replace ought to word the advisory lists no fewer than 5 separate patches which have to be put in to attain remediation of CVE-2024-21413; particular person replace information base (KB) articles additional word that partially-patched Workplace installations might be blocked from beginning till the proper mixture of patches has been put in.
It’s a good suggestion for Home windows end-users to remain present with safety updates from Microsoft, which might rapidly pile up in any other case. That doesn’t imply you need to set up them on Patch Tuesday. Certainly, ready a day or three earlier than updating is a sane response, on condition that typically updates go awry and normally inside a number of days Microsoft has fastened any points with its patches. It’s additionally good to again up your information and/or picture your Home windows drive earlier than making use of new updates.
For a extra detailed breakdown of the person flaws addressed by Microsoft immediately, take a look at the SANS Internet Storm Center’s list. For these admins accountable for sustaining bigger Home windows environments, it typically pays to control Askwoody.com, which often factors out when particular Microsoft updates are creating issues for a variety of customers.
