Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws

Right this moment is Microsoft’s November 2024 Patch Tuesday, which incorporates safety updates for 89 flaws, together with 4 zero-days, two of that are actively exploited.

This Patch Tuesday mounted 4 crucial vulnerabilities, which embody two distant code execution and two elevation of privileges flaws.

The variety of bugs in every vulnerability class is listed beneath:

• 26 Elevation of Privilege vulnerabilities
• 2 Safety Characteristic Bypass vulnerabilities
• 52 Distant Code Execution vulnerabilities
• 1 Data Disclosure vulnerability
• 4 Denial of Service vulnerabilities
• 3 Spoofing vulnerabilities

This rely doesn’t embody two Edge flaws that have been beforehand mounted on November seventh.

To be taught extra in regards to the non-security updates launched immediately, you’ll be able to overview our devoted articles on the brand new Home windows 11 KB5046617 and KB5046633 cumulative updates and the Home windows 10 KB5046613 replace.

4 zero-days disclosed

This month’s Patch Tuesday fixes 4 zero-days, two of which have been actively exploited in assaults, and three have been publicly disclosed.

Microsoft classifies a zero-day flaw as one that’s publicly disclosed or actively exploited whereas no official repair is obtainable.

The 2 actively exploited zero-day vulnerabilities in immediately’s updates are:

CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability

Microsoft has mounted a vulnerability that exposes NTLM hashes to distant attackers with minimal interplay with a malicious file.

“This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user,” defined Microsoft.

“Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability,” continued Microsoft.

Microsoft says Israel Yeshurun of ClearSky Cyber Security found this vulnerability and that it was publicly disclosed, however didn’t share any additional particulars.

CVE-2024-49039 – Home windows Process Scheduler Elevation of Privilege Vulnerability

A specifically crafted utility might be executed that elevates privilege to Medium Integrity degree.

“In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment,” defined Microsoft.

Microsoft says that exploiting this vulnerability would permit attackers to execute RPC features which are usually restricted to privileged accounts.

The flaw was found by Vlad Stolyarov and Bahare Sabouri of Google’s Risk Evaluation Group.

It’s not recognized how the flaw was exploited in assaults.

The opposite three vulnerabilities that have been publicly disclosed however not exploited in assaults are:

CVE-2024-49040 – Microsoft Alternate Server Spoofing Vulnerability

Microsoft has mounted a Microsoft Alternate vulnerability that enables menace actors to spoof the sender’s electronic mail tackle in emails to native recipients.

“Microsoft is conscious of a vulnerability (CVE-2024-49040) that enables attackers to run spoofing assaults towards Microsoft Alternate Server,” explains a associated advisory by Microsoft.

“The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport.”

Beginning with this month’s Microsoft Alternate safety updates, Microsoft is now detecting and flagging spoofed emails with an alert prepended to the e-mail physique that states, “Notice: This email appears to be suspicious. Do not trust the information, links, or attachments in this email without verifying the source through a trusted method.”

Microsoft says the flaw was found by Slonser at Solidlab, who publicly disclosed the flaw in this text.

CVE-2024-49019 – Energetic Listing Certificates Companies Elevation of Privilege Vulnerability

Microsoft mounted a flaw that enables attackers to realize area administrator privileges by abusing built-in default model 1 certificates templates.

“Examine when you’ve got printed any certificates created utilizing a model 1 certificates template the place the Supply of topic identify is about to “Provided within the request” and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers,” explains Microsoft.

“An example is the built-in Web Server template, but it is not vulnerable by default due to its restricted Enroll permissions.”

The flaw was found by Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec, who disclosed the “EKUwu” vulnerability in October.

“Using built-in default version 1 certificate templates, an attacker can craft a CSR to include application policies that are preferred over the configured Extended Key Usage attributes specified in the template,” reads TrustedSec’s report.

“The only requirement is enrollment rights, and it can be used to generate client authentication, certificate request agent, and codesigning certificates using the WebServer template.”

As defined above, CVE-2024-43451 was additionally publicly disclosed.

Current updates from different firms

Different distributors who launched updates or advisories in November 2024 embody:

• Adobe launched safety updates for quite a few purposes, together with Photoshop, Illustrator, and Commerce.
• Cisco releases safety updates for a number of merchandise, together with Cisco Telephones, Nexus Dashboard, Id Companies Engine, and extra.
• Citrix releases safety updates for NetScaler ADC and NetScaler Gateway vulnerabilities. Additionally they launched an replace for the Citrix Digital Apps and Desktops reported by Watchtowr.
• Dell releases safety updates for code execution and safety bypass flaws in SONiC OS.
• D-Hyperlink releases a safety replace for a crucial DSL6740C flaw that enables modification of account passwords.
• Google launched Chrome 131, which incorporates 12 safety fixes. No zero-days.
• Ivanti releases safety updates for twenty-five vulnerabilities in Ivanti Join Safe (ICS), Ivanti Coverage Safe (IPS), Ivanti Safe Entry Consumer (ISAC).
• SAP releases safety updates for a number of merchandise as a part of November Patch Day.
• Schneider Electrical releases safety updates for flaws in Modicon M340, Momentum, and MC80 merchandise.
• Siemens launched a safety replace for a crucial 10/10 flaw in TeleControl Server Fundamental tracked as CVE-2024-44102.

The November 2024 Patch Tuesday Safety Updates

Under is the whole listing of resolved vulnerabilities within the November 2024 Patch Tuesday updates.

To entry the complete description of every vulnerability and the techniques it impacts, you’ll be able to view the full report right here.

Replace 11/13/24: Modified variety of flaws to 89 as we beforehand included Edge flaws mounted on November 7.