November’s Patch Tuesday brings significant security updates from Microsoft, addressing 89 vulnerabilities across various Windows versions and Microsoft applications. Among these, four vulnerabilities are classified as “critical,” and all but one are considered “high risk.” With two Windows vulnerabilities already exploited in the wild, this patch also fixes six zero-day security flaws, marking 2024 as the year with the second-highest number of patched vulnerabilities thus far, even before the year ends.
The bulk of the vulnerabilities patched (37 in total) affect Windows 10, Windows 11, and Windows Server. However, Windows 7 and 8.1 users are still vulnerable as they no longer receive security updates. For those who can, it’s recommended to upgrade to Windows 10 (22H2) or Windows 11 (23H2) to continue receiving patches. Notably, Windows 10 will lose support in 2025, making Windows 11 the more viable long-term option. That said, the Windows 11 24H2 update, although available, is causing issues, so sticking with 23H2 for now might be prudent.
The critical vulnerabilities patched this month include CVE-2024-43451, a spoofing gap in the MSHTML platform that allows attackers to log in as the user, and CVE-2024-49039, which enables malicious code to escape an app container and potentially cause widespread damage. The CVE-2024-43639 vulnerability in the Kerberos protocol is also critical as it allows remote code execution (RCE) with elevated privileges, potentially wormable across networks. Another critical RCE vulnerability, CVE-2024-43498, was found in .NET and Visual Studio, allowing attackers to inject and execute code via specially crafted web requests.
Microsoft also patched several vulnerabilities in the Windows telephony service, with six RCE vulnerabilities and one Elevation of Privilege (EoP) flaw. Additionally, eight vulnerabilities were addressed across Microsoft Office products, including seven RCE flaws in Excel and a Security Feature Bypass (SFB) vulnerability in Word. SQL Server alone accounted for over a third of the vulnerabilities patched this month, including 31 RCE vulnerabilities.
For users relying on SQL Server, it’s essential to note that CVE-2024-49043 requires updating the OLE DB driver and possibly third-party updates.
