Microsoft closed out its Patch Tuesday updates for 2024 with fixes for a total of 72 security flaws spanning its software portfolio, including one that it said has been exploited in the wild.
Of the 72 flaws, 17 are rated Critical, 54 are rated Important, and one is rated Moderate in severity. Thirty-one of the vulnerabilities are remote code execution flaws, and 27 of them allow for the elevation of privileges.
This is in addition to 13 vulnerabilities the company has addressed in its Chromium-based Edge browser since the release of last month’s security update. In total, Microsoft has resolved as many as 1088 vulnerabilities in 2024 alone, per Fortra.
The vulnerability that Microsoft has acknowledged as having been actively exploited is CVE-2024-49138 (CVSS score: 7.8), a privilege escalation flaw in the Windows Common Log File System (CLFS) Driver.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company said in an advisory, crediting cybersecurity company CrowdStrike for discovering and reporting the flaw.
It’s worth noting that CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). It’s also the ninth vulnerability in the same component to be patched this year.
“Though in-the-wild exploitation details aren’t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years,” Satnam Narang, senior staff research engineer at Tenable, told The Hacker News.
“Unlike advanced persistent threat groups that typically focus on precision and patience, ransomware operators and affiliates are focused on the smash and grab tactics by any means necessary. By using elevation of privilege flaws like this one in CLFS, ransomware affiliates can move through a given network in order to steal and encrypt data and begin extorting their victims.”
The fact that CLFS has become an attractive attack pathway for malicious actors has not gone unnoticed by Microsoft, which said it’s working to add a new verification step when parsing such log files.
“Instead of trying to validate individual values in logfile data structures, this security mitigation provides CLFS the ability to detect when log files have been modified by anything other than the CLFS driver itself,” Microsoft noted in late August 2024. “This has been accomplished by adding Hash-based Message Authentication Codes (HMAC) to the end of the log file.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply necessary remediations by December 31, 2024.
The bug with the highest severity in this month’s release is a remote code execution flaw impacting Windows Lightweight Directory Access Protocol (LDAP). It’s tracked as CVE-2024-49112 (CVSS score: 9.8).
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service,” Microsoft said.
Also of note are two other remote code execution flaws impacting Windows Hyper-V (CVE-2024-49117, CVSS score: 8.8), Remote Desktop Client (CVE-2024-49105, CVSS score: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS score: 8.4).
The development comes as 0patch released unofficial fixes for a Windows zero-day vulnerability that allows attackers to capture NT LAN Manager (NTLM) credentials. Additional details about the flaw have been withheld until an official patch becomes available.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” Mitja Kolsek said.
In late October, free unofficial patches were also made available to address a Windows Themes zero-day vulnerability that allows attackers to steal a target’s NTLM credentials remotely.
0patch has also issued micropatches for another previously unknown vulnerability on Windows Server 2012 and Server 2012 R2 that allows an attacker to bypass Mark-of-the-Web (MotW) protections on certain types of files. The issue is believed to have been introduced over two years ago.
With NTLM coming under extensive exploitation via relay and pass-the-hash attacks, Microsoft has announced plans to deprecate the legacy authentication protocol in favor of Kerberos. Furthermore, it has taken the step of enabling Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019.
Microsoft said it has rolled out a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default with the release of Windows Server 2025, which also removes support for NTLM v1 and deprecates NTLM v2. These changes also apply to Windows 11 24H2.
“Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default,” Redmond’s security team said earlier this week. “These security enhancements mitigate risk of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.”
“As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS, and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks.”
Software Patches from Other Vendors
Outside Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
