CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw

Patch Tuesday: Microsoft patches 90 security flaws across the Windows ecosystem and warns of zero-day exploitation and code execution risks.

Microsoft patches exploited vulnerability

Microsoft’s security response team on Tuesday pushed out fixes for at least 90 vulnerabilities across the Windows ecosystem and called immediate attention to a pair of publicly known, already-exploited zero-days.

The Redmond software maker flagged a privilege escalation bug in the Windows Task Scheduler in the “exploitation detected” category and warned that code execution pathways are available from low privilege applications.

“In this case, a successful attack could be performed from a low privilege AppContainer,” Microsoft said of the bug, which is tagged as CVE-2024-49039 with a CVSS severity score of 8.8 out of 10.

“The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment,” the company warned. “An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only.”

Microsoft credited Google’s Threat Analysis Group (TAG) with the discovery, suggesting it may have been used in advanced targeted attacks. As is customary, Microsoft did not provide IOCs (indicators of compromise) or other telemetry data to help defenders hunt for signs of infections or test detection mitigations.

Microsoft also marked CVE-2024-43451 in the already-exploited category and cautioned that this bug discloses a user’s NTLMv2 hash to the attacker who could use it to authenticate as the user.

The company warned that minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this NTLMv2 spoofing vulnerability.

“While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported,” the company explained.

Advertisement. Scroll to continue reading.

The Microsoft Patch Tuesday rollout also covers critical-severity defects in .NET, Visual Studio and Windows Kerberos that expose the Windows ecosystem to remote code execution risks.

“A remote unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to a vulnerable .NET webapp or by loading a specially crafted file into a vulnerable desktop app,” Microsoft warned.  The bug, tagged as CVE-2024-43498, carries a CVSS severity score of 9.8 out of 10.

The Windows Kerberos bug (CVE-2024-43639) allows an unauthenticated attacker using a booby-trapped application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.

The vulnerability carries a CVSS score of 9.8/10 and was discovered by researchers at China’s Cyber KunLun.

The Microsoft Patch Tuesday rollout also covers security defects in the Office productivity suite, Microsoft Azure, Microsoft Exchange Server, Windows Hyper-V and Windows VMSwitch. 

Microsoft’s patches come on the same day Adobe rolled out fixes for a wide swathe of critical security flaws across product lines, including code execution issues in the Adobe Commerce software suite.

Adobe documented a total of 48 security bugs and called urgent attention to critical-severity bugs in the Adobe Commerce and Magento Open Source platforms, the InDesign and Photoshop suites, and the Illustrator and Substance 3D Painter products.

Adobe stressed the importance of fixing the Adobe Commerce bug, which carries a CVSS severity score of 7.8 and exposes e-commerce shops to code execution attacks.

Related: Microsoft Confirms Zero-Day in Windows Management Console

Related: Microsoft Says Windows Flaw Exploited to Undo Security Fixes

Related: Microsoft Warns of Six Actively Exploited Windows Zero-Days

Related: Remote Code Execution Flaw in Microsoft Message Queuing 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.