Microsoft's November Patch Tuesday Fixes 89 Vulnerabilities, Including 4 Zero-Days

Microsoft’s November 2024 Patch Tuesday includes security updates for 89 vulnerabilities in Windows and Windows Components; Office and Office Components; Azure; .NET and Visual Studio; LightGBM; Exchange Server; SQL Server; TorchGeo; Hyper-V; and Windows VMSwitch. It is important to note the number includes fixes for four critical vulnerabilities, two involving remote code execution and two involving privilege escalation.

Breakdown of vulnerabilities by type:

• 52 Remote Code Execution vulnerabilities
• 26 Elevation of Privilege vulnerabilities
• 4 Denial of Service vulnerabilities
• 3 Spoofing vulnerabilities
• 2 Security Feature Bypass vulnerabilities
• 1 Information Disclosure vulnerability

The Zero-Day Vulnerabilities

This month’s release includes patches for four zero-day vulnerabilities, with two known to be actively exploited and three disclosed publicly.

Actively Exploited Zero-Days:

1. CVE-2024-43451 - NTLM Hash Disclosure Spoofing Vulnerability This vulnerability allows remote attackers to gain access to NTLMv2 hashes with minimal user interaction, such as single-clicking or right-clicking a malicious file. Microsoft explains that this could allow an attacker to authenticate as the user. Israel Yeshurun from ClearSky Cyber Security identified this flaw, which was publicly disclosed without further details.
2. CVE-2024-49039 - Windows Task Scheduler Elevation of Privilege Vulnerability Exploiting this flaw allows attackers to execute specially crafted applications that elevate privileges to Medium Integrity. According to Microsoft, the exploit could enable code execution or resource access beyond the low-privilege AppContainer environment. This vulnerability was discovered by Vlad Stolyarov and Bahare Sabouri of Google’s Threat Analysis Group, but details on exploitation are sparse.

Not Yet Exploited Zero-Days:

1. CVE-2024-49040 - Microsoft Exchange Server Spoofing Vulnerability This flaw enables attackers to spoof email sender addresses in communications to local recipients. Microsoft’s advisory notes this vulnerability is linked to how the P2 FROM header is verified in transport. Affected systems will now flag suspicious emails with warnings stating, “Notice: This email appears to be suspicious. Do not trust the information, links, or attachments in this email without verifying the source through a trusted method.” Slonser from Solidlab publicly disclosed this issue.
2. CVE-2024-49019 - Active Directory Certificate Services Elevation of Privilege Vulnerability Attackers can leverage this flaw to gain domain administrator privileges by exploiting default version 1 certificate templates. Microsoft advises checking published certificates using templates where the subject name is "Supplied in the request" and has broad enroll permissions. TrustedSec researchers Lou Scicchitano, Scot Berner, and Justin Bollinger disclosed this "EKUwu" vulnerability, emphasizing that enrollment rights allow attackers to craft Certificate Signing Requests (CSRs) with custom application policies.

Users are strongly advised to install these updates promptly to reduce potential security vulnerabilities. Updates can be applied through Windows Update or downloaded manually from the Microsoft Update Catalog. The November Patch Tuesday highlights the critical need for keeping systems current to defend against the growing landscape of cybersecurity threats.

The complete list of the vulnerabilities can be found here