Admins can give thanks this November for dollops of Microsoft patches

Patch Tuesday Patch Tuesday has swung around again, and Microsoft has released fixes for 89 CVE-listed security flaws in its products – including two under active attack – and reissued three more.

According to the IT giant, the first exploited flaw – CVE-2024-49039 – would allow privilege escalation thanks to an error in Windows Task Scheduler. Redmond warns that the CVSS 8.8-rated issue can be – and apparently has been – exploited using a low-privilege AppContainer. The upshot is that someone or something rogue on a vulnerable computer can use the bug to meddle with the box in a way they shouldn't be able to.

"An attacker must first gain access to the system, subsequently running a specifically crafted application to exploit the vulnerability," explained Henry Smith, senior security engineer at Automox.

"This could lead to unauthorized execution of privileged RPC functions, potentially allowing the creation of new users or modification of system settings at a higher privilege level than the attacker initially possessed."

The second exploited vulnerability – CVE-2024-43451 – is an issue with Microsoft's NTLM code. The spoofing flaw can be used to obtain a victim's NTLMv2 hash, potentially allowing impersonation of that account. "Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability," the tech giant noted. This is presumably the reason it got a moderate CVSS 6.5 score.

Users of Azure CycleCloud should jump on CVE-2024-43602 – a CVSS 9.9 issue that would allow remote code execution. A rogue user could send a request to modify the configuration of a CycleCloud cluster and exploit the issue to gain root privileges. Microsoft classifies this as less likely to be exploited, but it's a potentially bad bug nevertheless.

Also of serious concern is CVE-2024-43498 – a CVSS 9.8 flaw in .NET and Visual Studio that could be exploited by someone sending malicious requests to a vulnerable .NET webapp or "by loading a specially crafted file into a vulnerable desktop app," Microsoft explained.

Another CVSS 9.8 issue – CVE-2024-43639 – is difficult to exploit though potentially devastating flaw: A malicious application could be built and used by an unauthenticated attacker to exploit "a cryptographic protocol vulnerability in Windows Kerberos," thereby achieving remote code execution. Ooof.

Best (and the worst) of the rest

The US government's CISA has added the Windows Task Scheduler and NTLMv2 issues to its Known Exploited Vulnerabilities Catalog. Also added were flaws in Atlassian Jira server and datacenter products that were addressed back in 2021, a decade-old flaw in Cisco's WebVPN login page, and a GeoJSON URL validation issue from 2021 that has attackers' eyes.

Also on Tuesday, CISA published its list of the top 15 most exploited vulnerabilities from the past year, featuring major technology vendors. Citrix vulnerabilities claimed the first and second spots, while Cisco followed closely with third and fourth. Microsoft appeared twice on the list, and you can read the whole thing here – along with an analysis of trends in the industry from the Five Eyes nations.

In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets

The agency reported that "in 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day."

CISA observed that "malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability," but gave some reassurance because "the utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cyber security efforts reduce the lifespan of zero-day vulnerabilities."

Speaking of Citrix, it joined the patch party on Tuesday, with fixes for two flaws in NetScaler ADC and NetScaler Gateway and another couple of medium-importance holes in Citrix Session Recording.

After going quiet last month, Intel released 47 patches across a broad spectrum of its processors that are still supported. AMD released a batch of eight security patches

Adobe has released its usual patch bundle, again with nearly 50 fixes. Adobe Photoshop, Bridge, Audition, After Effects, Substance 3D Painter, Illustrator, InDesign, and Commerce all get corrective code.

So it's time to get your patching priorities sorted and hopefully you'd be done before the turkey is. ®