Patch Tuesday: Four Critical Vulnerabilities Paved Over
On Patch Tuesday, Windows systems will be updated with a flood of security fixes. In November, Windows patched four zero-day vulnerabilities, two of which have been exploited.
Patch Tuesdays are a good time for admin teams to remind employees of the importance of keeping operating systems and applications up to date. In the meantime, software makers like Microsoft and Adobe will have caught problems and closed backdoors.
In addition, as XDA pointed out, sharp-eyed Windows users have a useful new option this month: remapping the Copilot key. This lets you use the AI button to launch the application of your choice instead.
Microsoft patches two actively exploited vulnerabilities
Microsoft patched two vulnerabilities attackers had already exploited: CVE-2024-49039 and CVE-2024-43451.
An attacker running a bespoke application exploited a bug in the Windows Task Scheduler, CVE-2024-49039, to elevate their privileges to a Medium Integrity Level. From there, they could execute RPC functions to call processes from a remote computer.
SEE: The November update to the Microsoft PowerToys quality-of-life suite included bug fixes, a new look for the utility menu, and more.
With CVE-2024-43451, an attacker can trick a user into interacting with a malicious file, then discover that user’s NTLMv2 hash and spoof their credentials.
“To stay fully protected, we recommend that customers who install Security Only updates install the IE Cumulative updates for this vulnerability,” Microsoft recommended.
Other notable vulnerabilities target Windows domains and permissions
Ben McCarthy, lead cybersecurity engineer at Immersive Labs, pointed out CVE-2024-43639 as “one of the most threatening CVEs from this patch release.”
CVE-2024-43639 lets attackers execute code within a Windows domain. It originates in Kerberos, an authentication protocol.
“Windows domains are used in the majority of enterprise networks,” McCarthy told TechRepublic in an email, “and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain.”
An elevation of privilege vulnerability, CVE-2024-49019, originated in certain certificates created using the version 1 certificate template in a Public Key Infrastructure environment. Microsoft said administrators should look out for certificates in which the Source of the subject name is set to “Supplied in the request” and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers.
“This is typically a misconfiguration, and certificates created from templates like the Web Server template could be affected,” said McCarthy. “However, the Web Server template is not vulnerable by default because of its restricted enroll permissions.”
Along with installing the patch updates, Microsoft said one mitigation for this vulnerability is to avoid applying overly broad enrollment permissions to certificates.
Microsoft has not detected attackers using this vulnerability. However, “because it is related to Windows domains and is used heavily across enterprise organizations, it is very important to patch this vulnerability and look for misconfigurations that could be left behind,” McCarthy said.
Microsoft repairs four critical vulnerabilities
Four vulnerabilities this month were listed as critical:
- CVE-2024-43498, a Type Confusion flaw in .NET and Visual Studio applications that could allow for remote code execution.
- CVE-2024-49056, an elevation of privilege vulnerability on airlift.microsoft.com.
- CVE-2024-43625, an execution of privilege vulnerability in the Hyper-V host execution environment.
- CVE-2024-43639 is detailed above.
A complete list of Windows security updates from Nov. 12 can be found at Microsoft Support.