Microsoft’s November 2024 Patch Tuesday update fixes 91 security vulnerabilities, including four zero-day vulnerabilities. Critical fixes address actively exploited flaws in Windows, emphasising the need for quick patching.
Microsoft has released its November 2024 Patch Tuesday updates, addressing 91 security vulnerabilities across its software portfolio, including four zero-day flaws, two of which have been actively exploited.
Zero-Day Vulnerabilities
The two actively exploited zero-day vulnerabilities are:
- CVE-2024-43451: An NTLM Hash Disclosure Spoofing Vulnerability that exposes NTLMv2 hashes to remote attackers with minimal user interaction, such as selecting or right-clicking a malicious file.
- CVE-2024-49039: A Windows Task Scheduler Elevation of Privilege Vulnerability allowing attackers to execute RPC functions typically restricted to privileged accounts, potentially leading to unauthorized code execution or resource access.
Additionally, two publicly disclosed but not actively exploited vulnerabilities were addressed:
- CVE-2024-49040: A Microsoft Exchange Server Spoofing Vulnerability enabling threat actors to spoof sender email addresses to local recipients.
- CVE-2024-49041: A Windows MSHTML Platform Spoofing Vulnerability that could be leveraged to deceive users into interacting with malicious content.
Vulnerabilities
The 91 vulnerabilities fixed in this update are categorized as follows:
- 3 Spoofing vulnerabilities
- 4 Denial of Service vulnerabilities
- 1 Information Disclosure vulnerability
- 26 Elevation of Privilege vulnerabilities
- 2 Security Feature Bypass vulnerabilities
- 52 Remote Code Execution vulnerabilities.
It is worth noting that, four vulnerabilities are rated as critical, including two remote code executions and two elevations of privilege flaws.
Windows 11 Updates
For Windows 11 users, cumulative updates KB5046617 and KB5046633 have been released for versions 24H2 and 23H2, respectively. These updates address security vulnerabilities and include quality improvements. Notable fixes include resolving an issue causing a black screen when using Alt-Tab to switch between apps and correcting Task Manager’s incorrect display of zero running processes.
Windows 10 Updates
Windows 10 versions 21H2 and 22H2 have received cumulative update KB5046613, which focuses on security enhancements. Microsoft has indicated that there are no known issues with this update.
Expert Comment
Saeed Abbasi, Manager of Vulnerability Research at the Qualys Threat Research Unit, highlighted the severity of the CVE-2024-43451 vulnerability. “The CVE-2024-43451 leverages the remnants of Internet Explorer’s MSHTML component through the WebBrowser control,” he explained.
“This flaw allows attackers to capture a user’s NTLMv2 hash with minimal interaction—just a single click or right-click on a malicious file.” With this hash in hand, attackers can authenticate as the user, potentially gaining unauthorized access and compromising sensitive data.”
Abbasi emphasized that this vulnerability affects all supported versions of Microsoft Windows, making it widespread and critical. “This vulnerability leads to a complete loss of confidentiality for affected users, making immediate action essential,” he added.
For protection, Abbasi recommends organizations take three critical steps: apply the latest patches, install IE cumulative updates, and inform users about this specific threat. Prompt action is crucial to safeguard an organization’s systems and data from potential breaches.
Recommendations for Users
It is strongly recommended that users apply these updates as soon as possible to mitigate possible security risks. Updates can be installed via Windows Update or manually downloaded from the Microsoft Update Catalog. Nevertheless, November Patch Tuesday shows the importance of maintaining up-to-date systems to protect yourself from increasing cybersecurity threats.
RELATED TOPICS
- “HM Surf” macOS Flaw Lets Attackers Access Camera and Mic
- CISA Warns of Palo Alto Networks’ Expedition Tool Vulnerability
- Attack Lets Hackers Downgrade Windows to Exploit Patched Flaws
- ZDI Slams Microsoft for Not Crediting It in Last Week’s Patch Tuesday
- Microsoft Patch Tuesday: Microsoft Patches 142 Critical Vulnerabilities
