Security operations · 2 MIN READ · MATT JASTRAM · NOV 13, 2024 · TAGS: MDR
TL;DR
- November had less CVEs than we saw in October
- We’ve highlighted two CVEs that you should focus on remediating ASAP
- Both CVEs can be resolved by updating your Microsoft tools based on their provided recommendations
This Patch Tuesday includes 89 published CVEs from Microsoft.
For November’s Patch Tuesday, our team took a look at the 90 CVEs released today. CISA didn’t hesitate to quickly add two CVEs to their Known Exploited Vulnerability (KEV) database, with the typical four-week remediation timeline.
To address risky vulnerabilities, Expel focuses 100% on actual exploitation risk. Although we conduct a monthly review of Microsoft’s massive CVE list, we recognize only a small percentage will ever be leveraged by threat actors. Our goal is to ensure our customers’ remediation is focused, and significantly reduce their level of effort!
Microsoft’s November release continues to yield numerous CVEs, but this month was 23% down from what we saw in October. To their KEV database with a short remediation timeline—a 12/3/2024 due date for federal agencies and companies with policies aligned with CISA. The two vulnerabilities added to the KEV today were our focus this month and are summarized here:
- NTLM Hash Disclosure Spoofing Vulnerability: This zero-day vulnerability has already been exploited in the wild. Attackers will exploit CVE-2024-43451 by disguising files, and then tricking a user into opening a specifically prepared file. Once successfully tricked, a user’s secret NTLMv2 hash is compromised. Threat actors will use the stolen hash to easily authenticate with these stolen credentials. Microsoft had a similar issue with another CVE (CVE-2024-30081) in July’s Patch release. If you’re impacted by this CVE, we strongly recommend remediating by installing one of the listed Microsoft product updates to reduce exploit risk.
- Windows Task Scheduler Elevation of Privilege Vulnerability: According to Microsoft, CVE-2024-49039 is a zero-day vulnerability with exploit code readily available. Threat actors could leverage a Windows Task Scheduler with a lower-privileged AppContainer account, and then successfully take steps to conduct an unauthorized privilege creep. Once a threat actor has a higher level of access, they’re able to remotely execute code with these higher privileges. If you’re impacted by this CVE, we strongly recommend remediating, by identifying and installing the Microsoft product update to reduce exploit risk.
That’s it for this month. If you have any questions about these specific vulnerabilities (or others on the Patch Tuesday list)—or if you’re interested in learning how Expel Vulnerability Prioritization can give you context for your own environment—get in touch.
