Ryan Braunstein:
Happy Patch Tuesday, everyone! We have made it to November. We're in the holiday season, which is just, It's always that special time of year where you're just waiting for something horrible to happen right before you go on break.
Henry Smith:
Woo!
Ryan Braunstein:
Right off the bat, there are a ton of RCEs this month, but that seems like a common theme for the last, yeah, for the last, at least three to four. So I'm joined today by Seth Hoyt and Henry Smith, and I'll let them tell you what they do, but you might be familiar with them from our previous podcast. So Seth, tell us what you do.
Seth Hoyt:
Yep. Seth Hoyt, I'm a Senior Security Engineer here at Automox. Just work with the team, make things happen.
Ryan Braunstein:
Henry?
Henry Smith:
And I'm Henry, also a Senior Security Engineer, and I kind of just do whatever Ryan tells me to do, and I make sure that he remains happy.
Ryan Braunstein:
And that, I guess, brings me to me. I'm Ryan, team lead of Security at Automox And yeah, we're just going to jump right into this. Right off the bat, we've got an NTLM hash disclosure, spoofing vulnerability. Definitely patch this one immediately. This should be a top priority for you since it's already been spotted in the wild.
It does require user interaction, it's the same old story of phishing email comes in, someone clicks it, and they've got the ability to authenticate as your user. So you could always add some monitoring for hash-based attacks in your SIEM and lean on some user awareness with phishing campaigns. But other than that, definitely get this one patch ASAP.
Anything to add, you two?
Seth Hoyt:
That pretty much sums that one up. Short and sweet.
Ryan Braunstein:
Yeah, it's a simple one, but who's got next here?
Seth Hoyt:
I think that would be me with CVE 2024-5535. This is a Microsoft Defender for Endpoint Remote Code Execution Vulnerability. This one has not been publicly exploited yet, but is kind of funny because this one is actually for Windows Defender being able to do an RCE. So this one, again, it does require user interaction. So clicking on a link, phishing, things like that, which people relying on AI these days, those phishing attacks are getting more more complicated, complex looking, so a lot easier to trick users.
And then something else to point out, this one is only on Windows 10, specifically version 1809. And that is for both 32 and 64-bit. So if you are on Windows 11, this does not affect you. But yeah, again, clicking on a link is required for this one. So there is user interaction.
Henry Smith:
Yeah, that one, when I was looking really caught my eye too. And kind of to your point, it feels very ironic that an attacker could abuse a legitimate service and not only a legitimate service, but the very service responsible for defending endpoints. then yeah, your point about Windows, only being Windows 10, it makes me wonder like what's different about
Ryan Braunstein:
Yeah.
Henry Smith:
the implementation of Defender for Windows 11 and Windows 10, but I'm sure Microsoft won't tell us.
Ryan Braunstein:
Yeah.
And I think if I'm correct, Windows 10 actually got extended by another year. So I'm wondering what kind of like challenges that kind of leaves Microsoft in to kind of develop around both of them right now, especially with how different they are.
Ryan Braunstein:
Yeah.
Henry Smith:
And this one too, I don't think there's really any, if I was reading correctly, there's nothing really any action to take in terms of patching. I think it was more assertive.
Seth Hoyt:
Yeah, I didn't see anything on patching for this one yet. So just something to keep an eye on.
Henry Smith:
Yeah, I think it's probably like a server side effects, I imagine.
Ryan Braunstein:
Yeah, I think so. And it doesn't look like there's anything that can be done about it at the moment. but thankfully it's not being exploited yet. Yeah. So, and then, our final one, Henry, I think you're, you're running point on this one.
Yes, I think CVE 2024-49039, which is the Windows Task Scheduler, Elevation of Privilege Vulnerability. So reading over this one, it reads to me like an attacker has to get a specifically crafted application onto the victim's machine, probably one that interacts with the task scheduler, I'm guessing.
And then they have to be able to execute that. you know, if they, and if they can successfully exploit the vulnerability, they can execute RPC functions that are restricted to privileged accounts. Now, what exactly does that mean? What exactly can a malicious actor do in this case? I don't know, but I can take some guesses.
Ryan Braunstein:
Yeah.
Henry Smith:
know, Windows has some pretty interesting or juicy RPC interfaces that could be targeted by a malicious actor. So they may be able to potentially create users and add rights to them or elevate their privileges. They could potentially make service or registry modifications as well. Things you don't want a bad actor to be doing. And this is one that it looks like Microsoft has acknowledged that there's functional exploit code out there for this one. So this is one you'll want to patch.
Ryan Braunstein:
I mean, I assume they would just try and load something into the scheduler and have it do something on boot before like anything even comes up to stop it. So, I mean, that would be one of my thoughts, because that's what a lot of people end up using the scheduler for is for some kind of service that they need to get started or something to that effect or some script that needs to be run on startup. I don't know.
Henry Smith:
Yeah. And I think there is an RPC endpoint, or I guess interface specifically for the task scheduler. And I think, don't quote me, but I think it could be used to execute commands. But yeah, so patch, patch this one.
Ryan Braunstein:
Yeah.
Yeah, definitely. Well, again, you'll want to run through the full list But again, a lot of RCEs this month, a lot of things that you should get patched up pretty quickly. Other than that, I think that kind of does it for us this week, right? Awesome. Well, yeah, short and sweet this week.
Seth Hoyt:
Yeah, short and sweet.
Ryan Braunstein:
Thanks everyone for...
Thank you all for tuning in and joining us again and we'll see you next month.
Seth Hoyt:
Yeah. Thanks everyone. See you.
Ryan Braunstein:
See ya.
Henry Smith:
Happy Holidays!
Start your free trial now.
By submitting this form you agree to our Master Services Agreement and Privacy Policy