Microsoft’s security response team on Tuesday pushed out fixes for at least 90 vulnerabilities across the Windows ecosystem and called immediate attention to a pair of publicly known, already-exploited zero-days.
The Redmond software maker flagged a privilege escalation bug in the Windows Task Scheduler in the “exploitation detected” category and warned that code execution pathways are available from low privilege applications.
“In this case, a successful attack could be performed from a low privilege AppContainer,” Microsoft said of the bug, which is tagged as CVE-2024-49039 with a CVSS severity score of 8.8 out of 10.
“The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment,” the company warned. “An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only.”
Microsoft credited Google’s Threat Analysis Group (TAG) with the discovery, suggesting it may have been used in advanced targeted attacks. As is customary, Microsoft did not provide IOCs (indicators of compromise) or other telemetry data to help defenders hunt for signs of infections or test detection mitigations.
Microsoft also marked CVE-2024-43451 in the already-exploited category and cautioned that this bug discloses a user’s NTLMv2 hash to the attacker who could use it to authenticate as the user.
The company warned that minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this NTLMv2 spoofing vulnerability.
“While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported,” the company explained.
The Microsoft Patch Tuesday rollout also covers critical-severity defects in .NET, Visual Studio and Windows Kerberos that expose the Windows ecosystem to remote code execution risks.
“A remote unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to a vulnerable .NET webapp or by loading a specially crafted file into a vulnerable desktop app,” Microsoft warned. The bug, tagged as CVE-2024-43498, carries a CVSS severity score of 9.8 out of 10.
The Windows Kerberos bug (CVE-2024-43639) allows an unauthenticated attacker using a booby-trapped application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.
The vulnerability carries a CVSS score of 9.8/10 and was discovered by researchers at China’s Cyber KunLun.
The Microsoft Patch Tuesday rollout also covers security defects in the Office productivity suite, Microsoft Azure, Microsoft Exchange Server, Windows Hyper-V and Windows VMSwitch.
Microsoft’s patches come on the same day Adobe rolled out fixes for a wide swathe of critical security flaws across product lines, including code execution issues in the Adobe Commerce software suite.
Adobe documented a total of 48 security bugs and called urgent attention to critical-severity bugs in the Adobe Commerce and Magento Open Source platforms, the InDesign and Photoshop suites, and the Illustrator and Substance 3D Painter products.
Adobe stressed the importance of fixing the Adobe Commerce bug, which carries a CVSS severity score of 7.8 and exposes e-commerce shops to code execution attacks.
Related: Microsoft Confirms Zero-Day in Windows Management Console
Related: Microsoft Says Windows Flaw Exploited to Undo Security Fixes
Related: Microsoft Warns of Six Actively Exploited Windows Zero-Days
Related: Remote Code Execution Flaw in Microsoft Message Queuing