On this November 2024 Patch Tuesday, Microsoft has rolled out a significant update addressing a total of 91 vulnerabilities, including four critical zero-day flaws, two of which are currently being exploited in the wild. This proactive measure underscores the company’s commitment to maintaining robust security across its platforms.
The breakdown of the vulnerabilities addressed in this update reveals a diverse array of issues, categorized as follows:
- 26 Elevation of Privilege vulnerabilities
- 2 Security Feature Bypass vulnerabilities
- 52 Remote Code Execution vulnerabilities
- 1 Information Disclosure vulnerability
- 4 Denial of Service vulnerabilities
- 3 Spoofing vulnerabilities
It is noteworthy that this count does not encompass two Edge flaws that were resolved earlier on November 7th. For those interested in non-security updates, detailed articles are available regarding the new cumulative updates for Windows 11 (KB5046617 and KB5046633) and Windows 10 (KB5046613).
Four zero-days disclosed
This month’s Patch Tuesday has brought to light four zero-day vulnerabilities, with two actively exploited in various attacks. Microsoft defines a zero-day vulnerability as one that is either publicly disclosed or actively exploited without an official fix being available.
The two actively exploited vulnerabilities include:
CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability
This vulnerability allows remote attackers to expose NTLM hashes with minimal user interaction. According to Microsoft, “This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user.” The flaw can be triggered by simple actions such as selecting or inspecting a malicious file. Discovered by Israel Yeshurun of ClearSky Cyber Security, this vulnerability was publicly disclosed without further details.
CVE-2024-49039 – Windows Task Scheduler Elevation of Privilege Vulnerability
This vulnerability permits an attacker to execute a specially crafted application that elevates privileges to a Medium Integrity level. Microsoft elaborates that “a successful attack could be performed from a low privilege AppContainer,” allowing the attacker to execute restricted RPC functions. This flaw was identified by Vlad Stolyarov and Bahare Sabouri from Google’s Threat Analysis Group, although the specifics of its exploitation remain unclear.
Additionally, three vulnerabilities were publicly disclosed but not exploited:
CVE-2024-49040 – Microsoft Exchange Server Spoofing Vulnerability
This flaw enables attackers to spoof the sender’s email address in Microsoft Exchange emails sent to local recipients. Microsoft has implemented measures to flag such spoofed emails, alerting users with a warning message. Discovered by Slonser at Solidlab, this vulnerability was publicly disclosed in a related advisory.
CVE-2024-49019 – Active Directory Certificate Services Elevation of Privilege Vulnerability
This flaw allows attackers to gain domain administrator privileges by exploiting built-in default version 1 certificate templates. Microsoft advises checking for any certificates published using these templates, particularly those with broad enroll permissions. The vulnerability was disclosed by researchers at TrustedSec.
Recent updates from other companies
In addition to Microsoft, several other vendors have released updates or advisories this November:
- Adobe has issued security updates for various applications, including Photoshop and Illustrator.
- Cisco has released updates for multiple products, including Cisco Phones and Nexus Dashboard.
- Citrix has addressed vulnerabilities in NetScaler ADC and Gateway.
- Dell has provided security updates for SONiC OS.
- D-Link has released a critical update for the DSL6740C flaw.
- Google has launched Chrome 131, featuring 12 security fixes, though no zero-days were reported.
- Ivanti has released updates for 25 vulnerabilities across its products.
- SAP has issued updates for multiple products as part of November Patch Day.
- Schneider Electric has released updates for flaws in Modicon M340 and Momentum products.
- Siemens has addressed a critical flaw in TeleControl Server Basic.
The November 2024 Patch Tuesday Security Updates
For a comprehensive overview of the vulnerabilities resolved in this month’s updates, including detailed descriptions and affected systems, please refer to the full report.
Update 9/11/24: Updated to clarify that only three flaws were actively exploited and the reasoning behind CVE-2024-43491 being marked as exploited.
