The very first thing we need to talk about today is Microsoft’s adoption of CSAF, Common Security Advisory Framework, which they announced in a blog post. This is a huge win for the security community and a welcome addition to Microsoft’s security pages. CSAF, a standard maintained by Oasis, provides a standardized machine-readable page for each security advisory. This is a standard that has been adopted by many software vendors and it is great to see that Microsoft is following suit.
This month we see four vulnerabilities where Microsoft warns about public disclosure or active exploitation, as well as one vulnerability where no customer action is required.
The vulnerability where no customer action is required is a vulnerability that has already been resolved on airlift.microsoft.com. That means that this is an entirely informational vulnerability and there is no action that is required from Microsoft customers.
Two of the vulnerabilities patched today have been publicly disclosed, one has been actively exploited, and another has been both publicly disclosed and actively exploited.
The disclosed and exploited vulnerability is a CVSS 6.5 vulnerability that allows for disclosure of a user’s NTLMv2 hash to attackers with minimal interaction such as clicking (left or right click) a malicious file. This is a case where we need to remember that CVSS scores provide vulnerability severity and not a risk score. The risk associated with leaking NTLMv2 hashes is not properly reflected in the CVSS Score of this vulnerability and users should be aware of this and work on patching it as soon as possible.
The other actively exploited vulnerability, which, according to Microsoft, has not been disclosed, affects the Windows Task Scheduler and allows attackers to elevate their privileges to a Medium Integrity Level, allowing the attacker to execute RPC functions that are typically restricted to privileged accounts.
The two publicly disclosed vulnerabilities include an elevation of privilege in Active Directory Certificate Services and a spoofing vulnerability in Microsoft Exchange Server.
The big news today is two vulnerabilities with a score of CVSS 9.8. While CVSS is not an indicator of risk, scores that are a 9.8 are often pretty telling of where the issue is. We can see this highlighted in CVE-2024-43498, a vulnerability in .NET that allows an unauthenticated, remote attacker to exploit .NET webapps with malicious requests. Similarly, CVE-2024-43639 allows an unauthenticated attacker to attack Windows Kerberos in order to gain code execution.
One interesting note, that will likely be corrected soon, is that the November summary indicates three vulnerabilities with a CVSS Score of 9.8, indicating that the third is CVE-2024-43640. However, upon reviewing that vulnerability, you can see that it is only a CVSS 7.8 vulnerability.
Click here for more Patch Tuesday analysis.