Any successful remote cyberattack starts with penetration of the target network. Regardless of the type of threat (spyware, ransomware, or infostealer), first it must be delivered before it can be deployed. Attackers use a variety of methods and tools to accomplish this. Some of them require some action on the part of the individual. Others, in turn, rely on vulnerabilities in the system and can be delivered and deployed without the victim’s involvement.
Top Vulnerabilities in 2024
From quite a few vulnerabilities that surfaced in 8 months of 2024, there are several that created significant fuss in the cybersecurity community. Key sign of the significance is, of course, the number of systems that may be impacted. Though, I won’t ignore other factors, like ease of exploitation and severity of possible consequences.
There may also be a confusion on whether the flaw should be considered “top” or not depending on the frequency of its exploitation in cyberattacks. As some of the flaws keep circulating years after the initial discovery, you can sometimes see ratings that include those “past” vulnerabilities. For certain years, these overdue weaknesses were dominant, despite all the vulnerabilities discovered the same year. In this article, I will concentrate exclusively on ones discovered in 2024, with all the other mentioned characteristics in mind.
Critical RCE Threat in Windows TCP/IP Stack
CVE-2024-38063 is a critical vulnerability in Windows 10/11 that allows remote code execution (RCE) via IPv6 packets. The vulnerability is rated CVSS 9.8 and affects Windows 10, Windows 11 and Windows Server 2008-2022. Security researcher Marcus Hutchins has published a detailed analysis of the vulnerability. He also noted that this vulnerability affects one of the most exposed parts of the Windows kernel, the tcpip.sys driver, which is responsible for processing TCP/IP packets. In other words, attackers can exploit this vulnerability by sending specially crafted IPv6 packets to the target machine, allowing RCE without user interaction.
For potential risks, if successful, attackers could gain access at the SYSTEM level. This eventually allows them to execute arbitrary code on the vulnerable system and compromise sensitive data. The former, in turn, is a classic way to deploy malware in cyberattacks of different grades. Microsoft has released the update and strongly recommends applying it as soon as possible. For ones who cannot apply the patch, Redmond recommends disabling IPv6 until the update becomes available in order to reduce the attack surface.
Fortunately, there were no exploitation cases known to the moment. But the fact that the vulnerability exposes individual users and corporations alike makes it worth keeping in mind and fixing when the opportunity arises.
Critical Remote Code Execution in Microsoft Project
Vulnerability CVE-2024-38189 is a critical remote code execution vulnerability that affects some Microsoft products. It affects Windows 10 and Windows Server 2019 and later, as well as various versions of Office, including Office 365. CVSS score of 8.8 clearly characterizes how much damage the attackers can do with this flaw. Unlike the previous vulnerability, exploiting CVE-2024-38189 requires user interaction, namely the attacker must convince the victim to open a special Microsoft Project file. However, in the era of Dark LLM-generated phishing emails, this will not be a problem for attackers.
The results of successful exploitation of this vulnerability are clear – remote access with privilege escalation. It can lead to data leakage and full control over the infected system, with potentially severe consequences. Microsoft has released an update, so the only task for users is to apply the update and pay attention to monitoring suspicious network activity. And with the vulnerability being actively exploited in the wild, this update should not be hesitated with.
RCE Flaw in Microsoft Exchange
The third vulnerability is CVE-2024-38178, which has a CVSS score of 7.5 and allows remote code execution attacks under certain conditions. Although this is a specific vulnerability, it poses a significant threat. Similar to the previous point, exploitation of this vulnerability requires an authenticated client to be tricked into clicking a malicious link. Moreover, the exploitation also requires the victim to use Microsoft Edge in Internet Explorer mode. However, South Korea’s National Cyber Security Center has reported that this vulnerability was potentially used in a state-sponsored APT attack.
The vulnerability arises from a flaw in web content processing, leading to remote code execution. This could result in unauthorized server control, data leaks, and significant server disruption. The attacker does not require direct access to the server, relying instead on tricking users. To ensure security, users should update their systems and consider disabling Internet Explorer mode in Microsoft Edge.
What Causes the Vulnerabilities to Appear?
Typical reasons for vulnerabilities to appear in programs is a bad software engineering, technology aging, software misusage, or all of them together. It is hard to trace the reason for each and every specific vulnerability, especially considering the sheer number of them. But it is obvious that the more complex the program is – the easier it is for something inside to broke, or be broken on purpose.
The worst part about it is that you can’t really do anything to prevent the vulnerabilities from appearing (if you are not the developer of course). For users, and even corporations, the only way to secure themselves against negative consequences of vulnerability exploitation is to install all the recent updates. And even this won’t always be a guarantee of having no zero-day flaws.
How to prevent vulnerabilities?
To summarize, let me make a few recommendations to help reduce the likelihood of successful exploitation of vulnerabilities:
- Install the latest updates. Proper software developers releases flaw fixes as part of their regular updates, and I strongly recommend not to ignore them. If it happens for you to use an end-of-service program, it is better to update to the newest version or seek for an alternative that still gets software updates. “Unsupported” does not mean “free of vulnerabilities”!
- Use software from reliable developers. While vulnerabilities can appear in any software, from any developer, the likelyhood of this happening is much higher when you stick to solutions of no-name dev team. Large and renowned developers, aside from doing thorough testing, will also provide all the needed support and updates for their software.
- Keep an eye on security news. Companies sometimes struggle with notifying their users in a timely manner. By checking out newsletters, you ensure being up to date about the recent flaws or attacks.