Tag Archives: Microsoft

About Spoofing – Windows NTLM (CVE-2024-43451) vulnerability

About Spoofing – Windows NTLM (CVE-2024-43451) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. It immediately showed signs of being exploited in the wild. The vulnerability is related to the outdated MSHTML platform, which is still used in Windows. To exploit the vulnerability, the user must minimally interact with the malicious URL file: right-click on it, delete it, or move it to another folder. There is no need to open the malicious file. As a result, the attacker receives the user’s NTLMv2 hash, which he can use for authentication.

According to ClearSky, the vulnerability is used to distribute Spark RAT, an open-source remote access Trojan.

На русском

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability

Leave a reply

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. An incorrectly formulated P2 FROM header processing policy allows an attacker to make his email address look legitimate to the victim (for example, like a work colleague’s address). Which, of course, significantly increases the effectiveness of phishing attacks. The vulnerabilities affect Exchange Server 2019 and Exchange Server 2016.

Microsoft has paused the rollout of the initial patches published on November 12. Their installation led to crashes. New fixes were published by Microsoft only on November 27.

Kaspersky has already observed attempts to exploit this vulnerability. They wrote about this in a blog post on November 26.

На русском

December Microsoft Patch Tuesday

Leave a reply

December Microsoft Patch Tuesday. 89 CVEs, of which 18 were added since November MSPT. 1 vulnerability with signs of exploitation in the wild:

EoP – Windows Common Log File System Driver (CVE-2024-49138). There are no details about this vulnerability yet.

Strictly speaking, there was another vulnerability that was exploited in the wild: EoP – Microsoft Partner Network (CVE-2024-49035). But this is an already fixed vulnerability in the Microsoft website and I’m not even sure that it was worth creating a CVE.

For the remaining vulnerabilities, there are no signs of exploitation in the wild, nor exploits (even private ones).

I can highlight:

RCE – Windows LDAP (CVE-2024-49112, CVE-2024-49127)
RCE – Windows LSASS (CVE-2024-49126)
RCE – Windows Remote Desktop Services (CVE-2024-49106 и ещё 8 CVE)
RCE – Microsoft MSMQ (CVE-2024-49122, CVE-2024-49118)
RCE – Microsoft SharePoint (CVE-2024-49070)

Full Vulristics report

На русском

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability

Leave a reply

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability. It was released on November Microsoft Patch Tuesday and showed signs of exploitation in the wild right away. To exploit the vulnerability, an authenticated attacker runs a specially crafted application on the target system. The attack can be performed from an AppContainer restricted environment. Using this vulnerability, an attacker can elevate their privileges to Medium Integrity level and gain the ability to execute RPC functions that are restricted to privileged accounts only.

ESET reports that the vulnerability allowed the RomCom attackers to execute malicious code outside the Firefox sandbox and then launch hidden PowerShell processes to download and run malware from C&C servers.

There is a backdoor code on GitHub that exploits this vulnerability.

На русском

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities

Leave a reply

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues.

Video on YouTube, LinkedIn
Post on Habr (rus)
Digest on the PT website

Content:

00:37 Elevation of Privilege – Microsoft Streaming Service (CVE-2024-30090)
01:46 Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250)
02:38 Spoofing – Windows MSHTML Platform (CVE-2024-43573)
03:43 Remote Code Execution – XWiki Platform (CVE-2024-31982)
04:44 The scandal with the removal of Russian maintainers at The Linux Foundation, its impact on security and possible consequences.
05:22 Social “Attack on the complainer“
06:35 “Ford’s method” for motivating IT staff to fix vulnerabilities: will it work?
08:00 About the digest, habr and the question contest
08:29 Backstage

На русском

November Microsoft Patch Tuesday

Leave a reply

November Microsoft Patch Tuesday. 125 CVEs, 35 of which were added since October MSPT. 2 vulnerabilities with signs of exploitation in the wild:

Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039)
Disclosure/Spoofing – NTLM Hash (CVE-2024-43451)

No signs of exploitation, but with a private PoC of the exploit:

Remote Code Execution – Microsoft Edge (CVE-2024-43595, CVE-2024-43596)
Authentication Bypass – Azure Functions (CVE-2024-38204)
Authentication Bypass – Microsoft Dataverse (CVE-2024-38139)
Spoofing – Microsoft Exchange (CVE-2024-49040)

Among the rest can be highlighted:

Remote Code Execution – Windows Kerberos (CVE-2024-43639)
Elevation of Privilege – Windows Win32k (CVE-2024-43636)
Elevation of Privilege – Windows DWM Core Library (CVE-2024-43629)
Elevation of Privilege – Windows NT OS Kernel (CVE-2024-43623)

Full Vulristics report

На русском

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?

Leave a reply

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday? In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from whom we can expect details.

ZDI suggested that this could be an additional fix for a similar July vulnerability Spoofing – Windows MSHTML Platform (CVE-2024-38112). The vulnerability type and component are the same. The July vulnerability was about “.url” file handling and was exploited by the APT group Void Banshee to install the Atlantida Stealer malware. Attackers may have bypassed the initial fix, prompting Microsoft to release a new patch. So far, this is only an assumption. But the vulnerability shouldn’t be ignored despite its low CVSS Base score (6.5).

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Microsoft

About Spoofing – Windows NTLM (CVE-2024-43451) vulnerability

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability

December Microsoft Patch Tuesday

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities

November Microsoft Patch Tuesday

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?