Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive Labs' Cyber Threat Research Team reviews these patch notes for the standout vulnerabilities you need to know about.
CVE-2024-43572 - 7.8 - Microsoft Management Console Remote Code Execution Vulnerability
Top of the list for patching should be a vulnerability in the Microsoft Management Console. While the CVSS score is not the highest in the patch notes, it is being actively exploited in the wild by threat actors and warrants immediate attention.
While the notes say “Remote code execution” this vulnerability requires user interaction and some degree of social engineering.
To exploit this vulnerability an attacker must craft a malicious .msc file that, if opened, will run arbitrary code or commands that allow a threat actor to compromise the host.
This file would typically be sent via email as an attachment or as a link to a download. After patching, security teams and threat hunters should proactively check historical logs for indicators of these files being sent and received.
Organizations not able to deploy patches quickly across their organization should add additional monitoring and blocking rules targeting these file extensions.
The fix deployed by Microsoft prevents untrusted msc files from being executed.
CVE-2024-43609 - 6.5 - Microsoft Office Spoofing Vulnerability
While not actively exploited in the wild, CVE-2024-43609 should be one to pay closer attention to as Micorosft has listed this one as “Exploitation More Likely”. This vulnerability affects Microsoft office and allows an attacker to gain access to the NTLM credentials of any user interacting with the documents. If an attacker is able to read the NTLM hash, they can use this in a common attack known as “Pass the Hash,” where the attacker could authenticate as the user without knowing their password, which is where the “spoofing” part of the vulnerability description comes from.
This type of attack is frequently exploited by threat actors in the wild, leading to remote exploitation. Organizations should follow Microsoft Guidance on blocking outbound SMB ports and configuring Network security policies related to NTLM traffic.
CVE-2024-43573 - 6.5 - Windows MSHTML Platform Spoofing Vulnerability
This vulnerability has been discovered within the MSHTML platform used by certain Microsoft applications, including Internet Explorer mode in Microsoft Edge.
The vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate due to the way the platform handles certain web elements. Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services. Importantly, this attack requires no special permissions or knowledge of the user’s system, making it relatively easy for cybercriminals to execute.
Rated at 6.5 out of 10 in severity, the vulnerability has already been exploited by attackers, making it a serious concern for large organisations that still rely on legacy web applications within their environment. For example, many larger and more mature organizations may still use Internet Explorer due to the need for compatibility with certain internal applications.
Despite Internet Explorer being retired on many platforms, its underlying MSHTML technology remains active and vulnerable. This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online.
To address this issue, Microsoft includes fixes for the MSHTML platform in its Internet Explorer Cumulative Updates. It’s crucial for businesses, especially those with legacy systems, to ensure they apply these updates regularly to remain protected from potential attacks.
CVE-2024-43582 - 8.1 - Remote Desktop Protocol Server Remote Code Execution Vulnerability
This use-after-free vulnerability in the Remote Desktop Protocol (RDP) service affecting Windows Server and Client from versions 2019 and 10 (1809) onwards which can lead to Remote Code execution, has been patched by Microsoft. Little information is known about the vulnerability, except that it can be exploited by an unauthenticated attacker sending a malformed packet to a RPC host. This could lead to execution with the same permissions as the RPC service. It is assessed that if this description refers to the RPCSS service that whilst the service runs with the permissions of NETWORK SERVICE, privilege to SYSTEM after the fact would be trivial due to permissions afforded to that account and the use of ‘potato’ exploits.
It should be assumed that any successful exploitation of this vulnerability will lead to complete compromise of the targeted system and in environments where RDP is heavily used to system management, or where Remote Desktop Gateway (RDG) is used (RDG does allow RPC interaction via HTTP/S) to give users access to secure environments, patching should be considered a priority.
Vulnerabilities in RDP are quite rare in nature and Microsoft believes that exploitation is difficult and less likely, but now that details of an issue have been released and experts begin the process of reversing the newly released patches, however it may only be a matter of time before in the wild exploitation is seen.
An exploit of this nature will be highly prized by Ransomware Groups, because it allows an attacker total compromise of a system without knowledge of any credentials and, could help them reach high value targets, such as Domain Controllers. It can be used to launch the destructive phase of an attack across the entire domain.
CVE-2024-43583 - 6.8 - Winlogon Elevation of Privilege Vulnerability
This vulnerability has been identified in the Winlogon process.
Winlogon is responsible for handling secure user logins in Windows. This vulnerability, rated 6.8 out of 10 in severity, allows an attacker with local access to a machine to elevate their privileges to SYSTEM level, which is the highest level of access in Windows. This could enable the attacker to take full control of the affected system, manipulate settings, access sensitive data, or install malicious software.
Although it is quite uncertain due to the lack of information provided by Microsoft, the local nature of this vulnerability means that the attacker needs physical access to the machine or to be already logged in, making it similar to kiosk breakout scenarios where restricted environments can be bypassed. This makes it a concern for public kiosks, shared computers, or any device that restricts user access but could still be exploited by someone with local access.
To protect against this vulnerability, it’s important to ensure that a Microsoft first-party Input Method Editor (IME) is enabled on your device. IMEs are used to input complex characters during the sign-in process, and third-party IMEs could be vulnerable to attack. This is particularly relevant when installing language packs for your keyboard, as some third-party IMEs can be exploited during login. By using a Microsoft IME, one can minimize the risk of this vulnerability being exploited during the sign-in process.
Learn from our passionate experts on a wide range of subjects from Cyber Threat Research to maximizing value with Immersive Labs, plus, hear from our outstanding customers who are keen to share their experiences.