Tag Archives: PatchTuesday

November Microsoft Patch Tuesday

November Microsoft Patch Tuesday

November Microsoft Patch Tuesday. 125 CVEs, 35 of which were added since October MSPT. 2 vulnerabilities with signs of exploitation in the wild:

🔻 Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039)
🔻 Disclosure/Spoofing – NTLM Hash (CVE-2024-43451)

No signs of exploitation, but with a private PoC of the exploit:

🔸 Remote Code Execution – Microsoft Edge (CVE-2024-43595, CVE-2024-43596)
🔸 Authentication Bypass – Azure Functions (CVE-2024-38204)
🔸 Authentication Bypass – Microsoft Dataverse (CVE-2024-38139)
🔸 Spoofing – Microsoft Exchange (CVE-2024-49040)

Among the rest can be highlighted:

🔹Remote Code Execution – Windows Kerberos (CVE-2024-43639)
🔹Elevation of Privilege – Windows Win32k (CVE-2024-43636)
🔹Elevation of Privilege – Windows DWM Core Library (CVE-2024-43629)
🔹Elevation of Privilege – Windows NT OS Kernel (CVE-2024-43623)

🗒 Full Vulristics report

На русском

October Microsoft Patch Tuesday

October Microsoft Patch Tuesday

October Microsoft Patch Tuesday. 146 CVEs, of which 28 were added since September MSPT. 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Microsoft Management Console (CVE-2024-43572)
🔻 Spoofing – Windows MSHTML Platform (CVE-2024-43573)

Without signs of exploitation in the wild, but with a public PoC exploit:

🔸 Remote Code Execution – Open Source Curl (CVE-2024-6197)

Private exploits exist for:

🔸 Information Disclosure – Microsoft Edge (CVE-2024-38222)
🔸 Security Feature Bypass – Windows Hyper-V (CVE-2024-20659)

Among the rest can be highlighted:

🔹 Remote Code Execution – Remote Desktop Protocol Server (CVE-2024-43582)
🔹 Remote Code Execution – Windows Remote Desktop Client (CVE-2024-43533, CVE-2024-43599)
🔹 Remote Code Execution – Windows Routing and Remote Access Service (RRAS) (CVE-2024-38212 and 11 more CVEs)

🗒 Full Vulristics report

На русском

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday. 107 CVEs, 28 of which were added since August MSPT. 6 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Windows Update (CVE-2024-43491)
🔻 Elevation of Privilege – Windows Installer (CVE-2024-38014)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38217), Microsoft Publisher (CVE-2024-38226), Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

3 more with private exploits:

🔸 Authentication Bypass – Azure (CVE-2024-38175)
🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-43487)
🔸 Elevation of Privilege – Windows Storage (CVE-2024-38248)

Other interesting vulnerabilities:

🔹 Remote Code Execution – Microsoft SQL Server (CVE-2024-37335 and 5 more CVEs)
🔹 Remote Code Execution – Windows NAT (CVE-2024-38119)
🔹 Elevation of Privilege – Windows Win32k (CVE-2024-38246, CVE-2024-38252, CVE-2024-38253)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

About Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday. In total, in the August MSPT there were 3 EoPs with signs of exploitation in the wild. They have identical descriptions: an attacker can elevate privileges on the host to SYSTEM level. The vulnerability in Windows Kernel is more difficult to exploit, because it is necessary to win a race condition.

We only know the names of the attackers who exploited the EoP vulnerability in the Windows Ancillary Functions Driver (AFD.sys). It is exploited by the well-known group Lazarus. This was reported in a press release from Gen Digital, the company that owns Avira and Avast antiviruses. To neutralize information security products during an attack, Lazarus attackers use the Fudmodule rootkit. So, even if EDR is installed on the host, the host should be updated. 😏

На русском

Progress in exploitation of Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063)

Progress in exploitation of Remote Code Execution - Windows TCP/IP IPv6 (CVE-2024-38063)

Progress in exploitation of Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063). The vulnerability is from the August Patch Tuesday. 2 weeks ago I already wrote why it is potentially dangerous. Now the danger has increased significantly:

🔻 On August 24, a PoC of the exploit appeared on GitHub. There is a video with the launch of a small python script (39 lines), causing Windows to crash with the error “KERNEL SECURITY CHECK FAILURE”. Looks more like DoS than RCE. But this is only for now.

🔻 Well-known researcher Marcus Hutchins posted a blog post titled “CVE-2024-38063 – Remotely Exploiting The Kernel Via IPv6“. It describes the technical details of exploiting the vulnerability.

The probability that the vulnerability will be exploited in the wild has increased significantly.

❗️ Check if the vulnerability is patched or increase the priority of the fix if it is not yet.

На русском

Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063)

Remote Code Execution - Windows TCP/IP IPv6 (CVE-2024-38063)

Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063). Vulnerability from August Microsoft Patch Tuesday. No exploits or signs of exploitation in the wild have yet been discovered, but the description of the vulnerability looks scary. 😱

An unauthenticated attacker sends IPv6 packets to a Windows computer and this results in remote code execution. CVSS 9.8, “Exploitation More Likely”.

🔹 If IPv6 is disabled, the vulnerability is not exploited. But by default it is enabled. 😏
🔹 Blocking IPv6 on the local Windows firewall will not prevent exploitation (exploitation occurs before the packet is processed by the firewall). 🤷‍♂️

The vulnerability was found by experts from the Chinese information security company Cyber ​​Kunlun. When technical details and exploits for the vulnerability appear, it may be very critical and “wormable”. 🪱

На русском

August Microsoft Patch Tuesday

August Microsoft Patch Tuesday

August Microsoft Patch Tuesday. 130 CVEs, of which 45 were added since July MSPT.

In the TOP suddenly is RCE – OpenSSH “regreSSHion” (CVE-2024-6387), which MS fixed in Azure. 🙂

6 vulnerabilities with signs of exploitation in the wild. 😱 It’s been a long time since we’ve seen so many. I will write about them in separate posts.

🔻 EoP – Windows Kernel (CVE-2024-38106), Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38213)
🔻 RCE – Microsoft Project (CVE-2024-38189)
🔻 RCE – Scripting Engine (CVE-2024-38178)

Other:

🔸 AuthBypass – Windows Update Stack (CVE-2024-38202) – the vulnerability was recently presented at BlackHat
🔹 Interesting RCEs – Windows TCP/IP (CVE-2024-38063) and LPD (CVE-2024-38199)
🔹 A lot of EoPs in Windows components (~26)

🗒 Full Vulristics report

На русском