December 11, 2024 at 02:30AM
Microsoft’s October 2024 Patch Tuesday addressed 72 security flaws, including a critical privilege escalation vulnerability (CVE-2024-49138) actively exploited in the wild. The update opened paths for further security measures against threats. Additionally, Microsoft plans to phase out NTLM in favor of Kerberos to bolster security against exploitation.
### Meeting Takeaways:
1. **Microsoft’s Patch Tuesday Updates (October 2024)**:
– A total of **72 security flaws** were addressed, with 17 rated **Critical**, 54 rated **Important**, and 1 rated **Moderate**.
– Key vulnerabilities include:
– **CVE-2024-49138**: Privilege escalation flaw in the Windows CLFS Driver, actively exploited, with a **CVSS score of 7.8**.
– The highest severity flaw is **CVE-2024-49112**: A remote code execution flaw in Windows LDAP with a **CVSS score of 9.8**.
2. **Vulnerability Statistics**:
– **31 remote code execution flaws** and **27 elevation of privilege flaws** were identified in this update.
– In total, Microsoft reported the resolution of **1088 vulnerabilities in 2024**.
3. **Context of Exploited Vulnerabilities**:
– CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022, indicating a trend of ransomware operators targeting these vulnerabilities for network exploitation.
4. **Security Mitigation Efforts**:
– Microsoft plans to implement a **verification step for CLFS log files** to prevent unauthorized modifications by adding **HMAC** (Hash-based Message Authentication Codes).
5. **CISA Involvement**:
– CVE-2024-49138 has been added to the **CISA Known Exploited Vulnerabilities (KEV)** catalog, with a deadline for remediation set for **December 31, 2024**.
6. **Unveiling of Zero-Day Vulnerabilities**:
– **0patch** has released unofficial fixes for a zero-day vulnerability allowing NTLM credential capture and another for Windows Themes vulnerabilities.
7. **Microsoft’s Shift from NTLM**:
– Microsoft is transitioning from the legacy NTLM authentication protocol, promoting **Kerberos**. Changes include enabling **Extended Protection for Authentication (EPA)** by default and removing support for NTLM v1 and deprecating NTLM v2 in the upcoming Windows Server 2025 release.
8. **Ongoing Updates from Other Vendors**:
– Security updates have also been issued by various other vendors to address multiple vulnerabilities over recent weeks.
### Action Items:
– Ensure all systems are updated with the latest patches, particularly for identified critical vulnerabilities.
– Review and implement the recommended security practices, especially regarding NTLM and Kerberos authentication.
– Stay informed on further updates from Microsoft and third-party vendors concerning security vulnerabilities.