On November 12, 2024, Microsoft rolled out its latest Patch Tuesday updates addressing 91 vulnerabilities, including four zero-day flaws. Among these, two are actively exploited, posing a significant risk to organisations that haven’t yet applied the necessary patches.
Key Vulnerabilities and Categories
This month's security fixes cover a wide array of vulnerabilities, including critical flaws that could allow attackers to execute remote code or elevate privileges. Below is a breakdown of the vulnerabilities patched:
• 26 Elevation of Privilege vulnerabilities
• 2 Security Feature Bypass vulnerabilities
• 52 Remote Code Execution vulnerabilities
• 1 Information Disclosure vulnerability
• 4 Denial of Service vulnerabilities
• 3 Spoofing vulnerabilities
Additionally, two critical flaws in Microsoft Edge, which were patched on November 7th, are not included in this count.
For those interested in non-security updates, Microsoft has also released cumulative updates for Windows 11 (KB5046617, KB5046633) and Windows 10 (KB5046613).
Four Zero-Day Flaws Addressed
The November 2024 Patch Tuesday update resolves four zero-day vulnerabilities, including two that were actively exploited in the wild and three that were publicly disclosed. A zero-day flaw is one that is either actively being exploited or has been publicly disclosed without an official fix. Here are the zero-day vulnerabilities patched:
1. CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability This critical vulnerability exposes NTLM hashes to remote attackers. Even minimal user interaction, such as right-clicking or selecting a malicious file, could trigger the flaw. If successfully exploited, attackers could use these hashes to authenticate as the user. The flaw was discovered by Israel Yeshurun of ClearSky Cyber Security and was publicly disclosed.
2. CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability This vulnerability allows attackers to elevate privileges from a low-level application to a higher integrity level. By exploiting this flaw, attackers can execute functions typically restricted to privileged accounts. Discovered by researchers at Google’s Threat Analysis Group, the exploitation method remains undisclosed.
The following three vulnerabilities, though publicly disclosed, were not known to be actively exploited:
3. CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability This flaw in Microsoft Exchange allows attackers to spoof the sender’s email address when sending messages to local recipients. As part of this update, Microsoft now flags spoofed emails with a warning that alerts users to the suspicious nature of the message.
4. CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability This flaw lets attackers gain domain administrator privileges through misuse of default version 1 certificate templates. By crafting specific certificate requests, attackers can escalate privileges, potentially compromising sensitive systems. Discovered by TrustedSec, this vulnerability requires enrolment rights to exploit.
Other Noteworthy Updates from November 2024
Along with Microsoft, several other major vendors released security patches for critical vulnerabilities in November 2024:
• Adobe: Security updates for Photoshop, Illustrator, and Commerce.
• Cisco: Patches for Cisco Phones, Nexus Dashboard, and Identity Services Engine.
• Citrix: Updates for vulnerabilities in NetScaler ADC and Gateway, and for Virtual Apps and Desktops.
• Ivanti: Patches for 25 vulnerabilities in Ivanti Connect Secure, Policy Secure, and Secure Access Client.
• SAP: Updates for multiple products during November Patch Day.
• Schneider Electric: Security fixes for vulnerabilities in Modicon M340, Momentum, and MC80.
• Siemens: Critical update for TeleControl Server Basic, tracked as CVE-2024-44102.
To Sum Up
As always, it’s critical to apply these patches as soon as possible to mitigate the risk posed by these vulnerabilities, especially the zero-days that are being actively exploited. Organisations should also stay up to date with security updates from other vendors to protect their systems from emerging threats.
To dive deeper into the specifics of the vulnerabilities and systems affected, refer to the full vulnerability report here and ensure your patching processes are aligned with these critical updates.
