November Patch Tuesday Brings Cornucopia Of 89 Fixes To Windows

Microsoft has delivered a bounty of patches this November in its latest edition of Patch Tuesday.

The November 2024 edition of the Windows update cycle has brought with it critical fixes for Windows, Office, and SQL Server.

Fortunately for users and administrators, there are only four vulnerabilities that were deemed “critical” by Microsoft. The vast majority (84 out of 89) were classified as “important” flaws that generally require the threat actor to already have local access to the vulnerable system.

Five of the vulnerabilities are currently being exploited in the wild and should be made a top priority for testing and deployment.

Among the more pressing flaws is CVE-2024-43451. The vulnerability is a key disclosure flaw in Internet Explorer currently being attacked in the wild. Threat actors have been able to exploit a bug in MSHTML that could then result in the bad guys being able to access the victim’s NTLMv2 hash.

You read that right. It is the year 2024 and Internet Explorer can still be… (wait, I’m pretty sure someone has done this before.)

“User interaction is required, but that doesn’t seem to stop these attacks from being effective,” noted researcher Dustin Childs of the Trend Micro Zero Day Initiative.

“As always, Microsoft does not give any indication of how widespread these attacks are, but I would not wait to test and deploy this update.”

Also on the priority list should be CVE-2024-43639. Rated as a 9.8 CVSS vulnerability, the flaw allows the attacker to achieve remote code execution on a vulnerable Windows Server system via Kerberos commands.

“Since Kerberos runs with elevated privileges, that makes this a wormable bug between affected systems,” noted Childs.

“What systems are impacted? Every supported version of Windows Server.”

Other hi-priority fixes include an actively exploited flaw in Windows Task Scheduler (CVE-2024-49039) that could allow for elevation of privilege and a remote code execution flaw in .NET and Visual Studio (CVE-2024-43498.)

The remainder of the vulnerabilities were found in Azure, Office, and SQL Server. Those flaws are considered less severe as they are not able to be exploited remotely.

“These require an affected system to connect to a malicious SQL database, so the likelihood of exploitation is pretty low,” noted Childs.

“There is one SQL bug that requires additional attention. CVE-2024-49043 requires an update to OLE DB Driver 18 or 19, but may also require third-party fixes, too. Ensure you read that one carefully and apply all the needed fixes.”

READ MORE HERE