[German]On November 12, 2024, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 87 vulnerabilities (CVEs), including four critical vulnerabilities, four of which are classified as 0-day (two are already being exploited). Below is a compact overview of these updates that were released on Patchday.
Advertising
Notes on the updates
You can find a list of updates on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly Patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to Patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.
Windows Server 2012 R2
Windows Server 2012 /R2 will receive regular security updates until October 2023. After this date, an ESU license will be required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).
Fixed vulnerabilities
Tenable has published this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2024-4345: NTLM Hash Disclosure Spoofing vulnerability, CVEv3 Score 6.5, important; An attacker could exploit this rated important vulnerability by tricking a user into opening a specially crafted file. Successful exploitation would lead to unauthorized disclosure of a user's NTLMv2 hash, which an attacker could then use to authenticate as a user on the system. According to Microsoft, CVE-2024-43451 has been exploited in the wild as a zero-day. No further details on this vulnerability were available at the time of publication of this blog post.
- CVE-2024-49039: Windows Task Scheduler Elevation of Privilege vulnerability, CVEv3 Score 8.8, important; An attacker with local access to a vulnerable system could exploit this vulnerability by running a specially crafted application. If successfully exploited, an attacker could access resources that would otherwise be unavailable to them and execute code, such as remote procedure call (RPC) functions. According to Microsoft, CVE-2024-49039 was exploited in the wild as a zero-day. It was disclosed to Microsoft by an anonymous researcher along with Vlad Stolyarov and Bahare Sabouri from Google's Threat Analysis Group. At the time of publishing this blog post, no further details about the exploit in the wild were available.
- CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; According to Microsoft, an attacker can gain administrative privileges if successfully exploited. The advisory notes that "certificates created with a version 1 certificate template where the subject source is set to 'Specified in the request'" are potentially affected if the template is not secured according to best practices. This vulnerability is classified as "Exploitation More Likely" according to Microsoft's Exploitability Index. The Microsoft advisory also contains several measures for securing certificate templates, which we strongly recommend reviewing.
- CVE-2024-49040: Microsoft Exchange Server spoofing vulnerability, CVEv3 score 7.5, important; According to Microsoft, this vulnerability was publicly disclosed before a patch was made available. After applying the update, administrators should read the support article Exchange Server non-RFC compliant P2 FROM header detection. The supplemental guide notes that the November Exchange Server update flags suspicious emails that may contain "malicious patterns in the P2 FROM header" as part of a "secure by default" approach. Although this feature can be disabled, Microsoft strongly recommends leaving it enabled to provide further protection against phishing attempts and malicious emails.
- CVE-2024-43639: Windows Kerberos Remote Code Execution vulnerability, CVEv3 Score 9.8, critical; The critical RCE vulnerability affecting Windows Kerberos, an authentication protocol for verifying user or host identities, has been rated Exploitation Less Likely. To exploit this vulnerability, an unauthenticated attacker must exploit a vulnerability in the cryptographic protocol to achieve an RCE. At the time of publication of this blog, no further details on this vulnerability have been disclosed by Microsoft.
- CVE-2024-38255: A total of 29 SQL Server Native Client Remote Code Execution vulnerabilities, CVEv3 score 8.8, important; all of these CVEs have been rated Exploitation Less Likely. Successful exploitation of these vulnerabilities can be achieved by tricking an authenticated user into connecting to a malicious SQL Server database with an affected driver. A full list of CVEs is included in this post.
- CVE-2024-43602: Azure CycleCloud Remote Code Execution vulnerability, CVEv3 score 9.9, important; RCE vulnerability in Microsoft's Azure CycleCloud, a tool that helps manage and orchestrate high-performance computing (HPC) environments in Azure. This vulnerability received the highest CVSSv3 rating of the month, a 9.9, but was only rated as important. A user with basic privileges could exploit CVE-2024-43602 by sending specially crafted requests to a vulnerable AzureCloud CycleCloud cluster to change its configuration. If successfully exploited, the user would gain root privileges to execute commands on any cluster in Azure CycleCloud and steal administrator credentials.
A list of all CVEs discovered can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products
Advertising
- .NET and Visual Studio
- Airlift.microsoft.com
- Azure CycleCloud
- Azure Database for PostgreSQL
- LightGBM
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Office Excel
- Microsoft Office Word
- Microsoft PC Manager
- Microsoft Virtual Hard Drive
- Microsoft Windows DNS
- Role: Windows Hyper-V
- SQL Server
- TorchGeo
- Visual Studio
- Visual Studio Code
- Windows Active Directory Certificate Services
- Windows CSC Service
- Windows DWM Core Library
- Windows Defender Application Control (WDAC)
- Windows Kerberos
- Windows Kernel
- Windows NT OS Kernel
- Windows NTLM
- Windows Package Library Manager
- Windows Registry
- Windows SMB
- Windows SMBv3 Client/Server
- Windows Secure Kernel Mode
- Windows Task Scheduler
- Windows Telephony Service
- Windows USB Video Driver
- Windows Update Stack
- Windows VMSwitch
- Windows Win32 Kernel Subsystem
Similar articles:
Microsoft Security Update Summary (November 12, 2024)
Patchday: Windows 10/Server Updates (November 12, 2024)
Patchday: Windows 11/Server 2022 Updates (November 12, 2024)
Patchday: Windows Server 2012 / R2 and Windows 7 (November 12, 2024)
Patchday: Microsoft Office Updates (November 12, 2024)
Advertising