Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
12 mins read

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws

Today is Microsoft’s November 2024 Patch Tuesday, which includes security updates for 91 flaws, including four zero-days, two of which are actively exploited.

This Patch Tuesday fixed four critical vulnerabilities, which include two remote code execution and two elevation of privileges flaws.

The number of bugs in each vulnerability category is listed below:

  • 26 Elevation of Privilege vulnerabilities
  • 2 Security Feature Bypass vulnerabilities
  • 52 Remote Code Execution vulnerabilities
  • 1 Information Disclosure vulnerability
  • 4 Denial of Service vulnerabilities
  • 3 Spoofing vulnerabilities

This count does not include two Edge flaws that were previously fixed on November 7th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5046617 and KB5046633 cumulative updates and the Windows 10 KB5046613 update.

Four zero-days disclosed

This month’s Patch Tuesday fixes four zero-days, two of which were actively exploited in attacks, and three were publicly disclosed.

Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no official fix is available.

The two actively exploited zero-day vulnerabilities in today’s updates are:

CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability

Microsoft has fixed a vulnerability that exposes NTLM hashes to remote attackers with minimal interaction with a malicious file.

“This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user,” explained Microsoft.

“Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability,” continued Microsoft.

Microsoft says Israel Yeshurun of ClearSky Cyber Security discovered this vulnerability and that it was publicly disclosed, but did not share any further details.

CVE-2024-49039 – Windows Task Scheduler Elevation of Privilege Vulnerability

A specially crafted application could be executed that elevates privilege to Medium Integrity level.

“In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment,” explained Microsoft.

Microsoft says that exploiting this vulnerability would allow attackers to execute RPC functions that are normally restricted to privileged accounts.

The flaw was discovered by Vlad Stolyarov and Bahare Sabouri of Google’s Threat Analysis Group.

It is not known how the flaw was exploited in attacks.

The other three vulnerabilities that were publicly disclosed but not exploited in attacks are:

CVE-2024-49040 – Microsoft Exchange Server Spoofing Vulnerability

Microsoft has fixed a Microsoft Exchange vulnerability that allows threat actors to spoof the sender’s email address in emails to local recipients.

“Microsoft is aware of a vulnerability (CVE-2024-49040) that allows attackers to run spoofing attacks against Microsoft Exchange Server,” explains a related advisory by Microsoft.

“The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport.”

Starting with this month’s Microsoft Exchange security updates, Microsoft is now detecting and flagging spoofed emails with an alert prepended to the email body that states, “Notice: This email appears to be suspicious. Do not trust the information, links, or attachments in this email without verifying the source through a trusted method.”

Microsoft says the flaw was discovered by Slonser at Solidlab, who publicly disclosed the flaw in this article.

CVE-2024-49019 – Active Directory Certificate Services Elevation of Privilege Vulnerability

Microsoft fixed a flaw that allows attackers to gain domain administrator privileges by abusing built-in default version 1 certificate templates.

“Check if you have published any certificates created using a version 1 certificate template where the Source of subject name is set to “Supplied in the request” and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers,” explains Microsoft.

“An example is the built-in Web Server template, but it is not vulnerable by default due to its restricted Enroll permissions.”

The flaw was discovered by Lou ScicchitanoScot Berner, and Justin Bollinger with TrustedSec, who disclosed the “EKUwu” vulnerability in October.

“Using built-in default version 1 certificate templates, an attacker can craft a CSR to include application policies that are preferred over the configured Extended Key Usage attributes specified in the template,” reads TrustedSec’s report.

“The only requirement is enrollment rights, and it can be used to generate client authentication, certificate request agent, and codesigning certificates using the WebServer template.”

As explained above, CVE-2024-43451 was also publicly disclosed.

Recent updates from other companies

Other vendors who released updates or advisories in November 2024 include:

  • Adobe released security updates for numerous applications, including Photoshop, Illustrator, and Commerce.
  • Cisco releases security updates for multiple products, including Cisco Phones, Nexus Dashboard, Identity Services Engine, and more.
  • Citrix releases security updates for NetScaler ADC and NetScaler Gateway vulnerabilities. They also released an update for the Citrix Virtual Apps and Desktops reported by Watchtowr.
  • Dell releases security updates for code execution and security bypass flaws in SONiC OS.
  • D-Link releases a security update for a critical DSL6740C flaw that allows modification of account passwords.
  • Google released Chrome 131, which includes 12 security fixes. No zero-days.
  • Ivanti releases security updates for twenty-five vulnerabilities in Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC).
  • SAP releases security updates for multiple products as part of November Patch Day.
  • Schneider Electric releases security updates for flaws in Modicon M340, Momentum, and MC80 products.
  • Siemens released a security update for a critical 10/10 flaw in TeleControl Server Basic tracked as CVE-2024-44102.

The November 2024 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the November 2024 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

TagCVE IDCVE TitleSeverity
.NET and Visual StudioCVE-2024-43499.NET and Visual Studio Denial of Service VulnerabilityImportant
.NET and Visual StudioCVE-2024-43498.NET and Visual Studio Remote Code Execution VulnerabilityCritical
Airlift.microsoft.comCVE-2024-49056Airlift.microsoft.com Elevation of Privilege VulnerabilityCritical
Azure CycleCloudCVE-2024-43602Azure CycleCloud Remote Code Execution VulnerabilityImportant
LightGBMCVE-2024-43598LightGBM Remote Code Execution VulnerabilityImportant
Microsoft Defender for EndpointCVE-2024-5535OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overreadImportant
Microsoft Edge (Chromium-based)CVE-2024-10826Chromium: CVE-2024-10826 Use after free in Family ExperiencesUnknown
Microsoft Edge (Chromium-based)CVE-2024-10827Chromium: CVE-2024-10827 Use after free in SerialUnknown
Microsoft Exchange ServerCVE-2024-49040Microsoft Exchange Server Spoofing VulnerabilityImportant
Microsoft Graphics ComponentCVE-2024-49031Microsoft Office Graphics Remote Code Execution VulnerabilityImportant
Microsoft Graphics ComponentCVE-2024-49032Microsoft Office Graphics Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2024-49029Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2024-49026Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2024-49027Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2024-49028Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2024-49030Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office SharePointADV240001Microsoft SharePoint Server Defense in Depth UpdateNone
Microsoft Office WordCVE-2024-49033Microsoft Word Security Feature Bypass VulnerabilityImportant
Microsoft PC ManagerCVE-2024-49051Microsoft PC Manager Elevation of Privilege VulnerabilityImportant
Microsoft Virtual Hard DriveCVE-2024-38264Microsoft Virtual Hard Disk (VHDX) Denial of Service VulnerabilityImportant
Microsoft Windows DNSCVE-2024-43450Windows DNS Spoofing VulnerabilityImportant
Role: Windows Active Directory Certificate ServicesCVE-2024-49019Active Directory Certificate Services Elevation of Privilege VulnerabilityImportant
Role: Windows Hyper-VCVE-2024-43633Windows Hyper-V Denial of Service VulnerabilityImportant
Role: Windows Hyper-VCVE-2024-43624Windows Hyper-V Shared Virtual Disk Elevation of Privilege VulnerabilityImportant
SQL ServerCVE-2024-48998SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-48997SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-48993SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49001SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49000SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-48999SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49043Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-43462SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-48995SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-48994SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-38255SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-48996SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-43459SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49002SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49013SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49014SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49011SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49012SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49015SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49018SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49021Microsoft SQL Server Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49016SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49017SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49010SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49005SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49007SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49003SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49004SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49006SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49009SQL Server Native Client Remote Code Execution VulnerabilityImportant
SQL ServerCVE-2024-49008SQL Server Native Client Remote Code Execution VulnerabilityImportant
TorchGeoCVE-2024-49048TorchGeo Remote Code Execution VulnerabilityImportant
Visual StudioCVE-2024-49044Visual Studio Elevation of Privilege VulnerabilityImportant
Visual Studio CodeCVE-2024-49050Visual Studio Code Python Extension Remote Code Execution VulnerabilityImportant
Visual Studio CodeCVE-2024-49049Visual Studio Code Remote Extension Elevation of Privilege VulnerabilityModerate
Windows CSC ServiceCVE-2024-43644Windows Client-Side Caching Elevation of Privilege VulnerabilityImportant
Windows Defender Application Control (WDAC)CVE-2024-43645Windows Defender Application Control (WDAC) Security Feature Bypass VulnerabilityImportant
Windows DWM Core LibraryCVE-2024-43636Win32k Elevation of Privilege VulnerabilityImportant
Windows DWM Core LibraryCVE-2024-43629Windows DWM Core Library Elevation of Privilege VulnerabilityImportant
Windows KerberosCVE-2024-43639Windows Kerberos Remote Code Execution VulnerabilityCritical
Windows KernelCVE-2024-43630Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows NT OS KernelCVE-2024-43623Windows NT OS Kernel Elevation of Privilege VulnerabilityImportant
Windows NTLMCVE-2024-43451NTLM Hash Disclosure Spoofing VulnerabilityImportant
Windows Package Library ManagerCVE-2024-38203Windows Package Library Manager Information Disclosure VulnerabilityImportant
Windows RegistryCVE-2024-43641Windows Registry Elevation of Privilege VulnerabilityImportant
Windows RegistryCVE-2024-43452Windows Registry Elevation of Privilege VulnerabilityImportant
Windows Secure Kernel ModeCVE-2024-43631Windows Secure Kernel Mode Elevation of Privilege VulnerabilityImportant
Windows Secure Kernel ModeCVE-2024-43646Windows Secure Kernel Mode Elevation of Privilege VulnerabilityImportant
Windows Secure Kernel ModeCVE-2024-43640Windows Kernel-Mode Driver Elevation of Privilege VulnerabilityImportant
Windows SMBCVE-2024-43642Windows SMB Denial of Service VulnerabilityImportant
Windows SMBv3 Client/ServerCVE-2024-43447Windows SMBv3 Server Remote Code Execution VulnerabilityImportant
Windows Task SchedulerCVE-2024-49039Windows Task Scheduler Elevation of Privilege VulnerabilityImportant
Windows Telephony ServiceCVE-2024-43628Windows Telephony Service Remote Code Execution VulnerabilityImportant
Windows Telephony ServiceCVE-2024-43621Windows Telephony Service Remote Code Execution VulnerabilityImportant
Windows Telephony ServiceCVE-2024-43620Windows Telephony Service Remote Code Execution VulnerabilityImportant
Windows Telephony ServiceCVE-2024-43627Windows Telephony Service Remote Code Execution VulnerabilityImportant
Windows Telephony ServiceCVE-2024-43635Windows Telephony Service Remote Code Execution VulnerabilityImportant
Windows Telephony ServiceCVE-2024-43622Windows Telephony Service Remote Code Execution VulnerabilityImportant
Windows Telephony ServiceCVE-2024-43626Windows Telephony Service Elevation of Privilege VulnerabilityImportant
Windows Update StackCVE-2024-43530Windows Update Stack Elevation of Privilege VulnerabilityImportant
Windows USB Video DriverCVE-2024-43643Windows USB Video Class System Driver Elevation of Privilege VulnerabilityImportant
Windows USB Video DriverCVE-2024-43449Windows USB Video Class System Driver Elevation of Privilege VulnerabilityImportant
Windows USB Video DriverCVE-2024-43637Windows USB Video Class System Driver Elevation of Privilege VulnerabilityImportant
Windows USB Video DriverCVE-2024-43634Windows USB Video Class System Driver Elevation of Privilege VulnerabilityImportant
Windows USB Video DriverCVE-2024-43638Windows USB Video Class System Driver Elevation of Privilege VulnerabilityImportant
Windows VMSwitchCVE-2024-43625Microsoft Windows VMSwitch Elevation of Privilege VulnerabilityCritical
Windows Win32 Kernel SubsystemCVE-2024-49046Windows Win32 Kernel Subsystem Elevation of Privilege VulnerabilityImportant

Update 9/11/24: Updated to explain that only three flaws were actively exploited and why CVE-2024-43491 was marked as exploited.

Leave a Reply

Your email address will not be published. Required fields are marked *