On November 12, Microsoft released critical security updates addressing 89 vulnerabilities, including four deemed critical and two actively exploited. Key issues include RCE vulnerabilities in Kerberos and .NET, along with significant flaws in Windows Telephony Service and SQL Server. Users are urged to upgrade from outdated systems like Windows 7 and 8.1. Microsoft has also introduced a new tool for malware removal, with the next Update Tuesday scheduled for December 10, 2024.
Microsoft’s November Patch Day: Security Updates Overview
On November 12, Microsoft rolled out a significant set of security updates aimed at addressing a total of 89 vulnerabilities. Among these, four have been labeled as critical, while most of the others, with one exception, are categorized as high risk. Alarmingly, Microsoft has revealed that two of these vulnerabilities are currently being exploited, contributing to a total of six 0-Day vulnerabilities. With the number of previously patched security issues, 2024 is shaping up to be the year with the second-highest count of vulnerabilities, even before the December updates are applied.
While Microsoft provides limited insights for users eager to investigate these vulnerabilities on their own via the security update guide, Dustin Childs offers a more comprehensive analysis in his blog on Trend Micro ZDI. He emphasizes the significance of Update Tuesday, particularly for administrators managing corporate networks. Unlike Microsoft’s four acknowledged 0-Days, Childs anticipates the existence of six. Additionally, the vulnerability CVE-2024-5535 in OpenSSL has not been classified by Microsoft as previously known, despite Childs indicating it has been on the radar since June.
Key Vulnerabilities in Windows and Browser Updates
The recent security update for Microsoft’s Edge browser is version 130.0.2849.80, released on November 7, and is based on Chromium 130.0.6723.117. In parallel, Google has launched a new main version of Chrome (v131) on November 12, which addresses several high-risk vulnerabilities.
Among the vulnerabilities addressed, a substantial 37 impact various Windows versions, including Windows 10 and Server. Microsoft continues to provide security updates for these systems. However, Windows 7 and 8.1 are no longer included in the security reports and may remain vulnerable. Users are encouraged to upgrade to Windows 10 (22H2) or Windows 11 (23H2) to ensure continued security updates. Additionally, the fall update for Windows 11, version 24H2, is now available, albeit with some reported issues.
Microsoft has alerted users to ongoing attacks exploiting two specific Windows vulnerabilities. The first, CVE-2024-43451, is a spoofing vulnerability in the outdated MSHTML platform, allowing attackers to capture the victim’s NTLMv2 hash and gain unauthorized access. The second, CVE-2024-49039, affects the Windows Task Scheduler, where malicious code could potentially execute outside its container, leading to severe repercussions when combined with other vulnerabilities.
To bolster your system’s security, it is crucial to keep your operating system updated and utilize reliable antivirus software. For recommendations, check out our article on “The Best Antivirus Programs 2024 in Test: How to Protect Your Windows PC.” Additionally, incorporating a good VPN can further enhance your online security.
Among the critical vulnerabilities, Microsoft has flagged the RCE vulnerability (Remote Code Execution) CVE-2024-43639 in the Kerberos protocol, assigning it a CVSS score of 9.8. This flaw allows attackers to execute code remotely without user interaction, and due to the elevated permissions of Kerberos, it poses a significant risk of spreading malicious code within a network. Another critical RCE vulnerability, CVE-2024-43498, affects .NET and Visual Studio, and similarly receives a CVSS score of 9.8. This vulnerability allows an attacker to inject and execute code by sending a specially crafted request to a vulnerable .Net web application.
In the latest updates, the Windows Telephony Service has seen seven vulnerabilities addressed, six of which are RCE vulnerabilities with a CVSS score of 8.8. The remaining vulnerability is an Elevation of Privilege (EoP) flaw, which could give attackers heightened access rights.
Moreover, over a third of the vulnerabilities patched in November relate to Microsoft’s SQL Server, with 31 RCE vulnerabilities deemed high risk. Generally, an attack would necessitate that a vulnerable system connects to a maliciously prepared database, making such scenarios relatively rare. For CVE-2024-49043, users should carefully review the security report, as it requires an update to the OLE DB driver and possibly additional updates from third-party providers.
Lastly, Microsoft has resolved eight vulnerabilities in its Office suite, including seven RCE vulnerabilities, five of which are found in Excel. The eighth vulnerability is a Security Feature Bypass (SFB) affecting Word, where a specially crafted document can circumvent the protected Office view.
As a proactive measure, Microsoft has introduced a new Windows tool for eliminating malicious software this November. The next scheduled Update Tuesday is set for December 10, 2024.