Critical Windows Zero-Days Patched in November Update

Microsoft's November 2024 Patch Tuesday addressed 91 vulnerabilities. This includes four zero-days, two of which were actively exploited in attacks.

The patch cycle included fixes for 26 elevation of privilege vulnerabilities, two security feature bypass vulnerabilities, 52 remote code execution vulnerabilities, one information disclosure vulnerability, four denial of service vulnerabilities, and three spoofing vulnerabilities. The zero-day vulnerability actively exploited was CVE-2024-49039, discovered by Vlad Stolyarov and Bahare Sabouri of Google’s Threat Analysis Group. This lets a malicious app gain more control than it should (Medium Integrity Level), potentially allowing access to restricted functions. While requiring a specially crafted app, this elevation of privilege allows escape from AppContainer sandboxes, expanding the impact of an attack.

Three other vulnerabilities were publicly disclosed but were not confirmed to be actively exploited in attacks. The first is CVE-2024-43451, discovered by Israel Yeshurun of ClearSky Cyber Security. This disclosed NTLMv2 hashes to attackers, but in plain English, it leaks a user's login information (NTLM hash) if they simply click or right-click on a malicious file. To be clear, you need to download the file but don't need to run it; left or right-clicking will activate it. Upon success, attackers can then impersonate the user. Keep in mind that the original source seems to have typoed and put "CVE-2024-43491" as being corrected instead of "CVE-2024-43451," but there is no other mention of CVE-2024-43491, and there is a correction for CVE-2024-43451, so we put two and two together. This was initially thought to be exploited but seems not to have been after a clarification from Microsoft.

The other two vulnerabilities are CVE-2024-49040, discovered by Slonser at Solidlab, which allowed attackers to spoof sender email addresses in emails to local recipients on Microsoft Exchange Server. CVE-2024-49019, discovered by Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec, allowed attackers to gain domain administrator privileges by abusing built-in default version 1 certificate templates.

The best way to fight these vulnerabilities is to keep your PC up to date. These updates will be rolled out to all supported Windows 10 and Windows 11 PCs over the coming days.

Source: Bleeping Computer