Microsoft Patch Tuesday security updates for November 2024 addressed 89 vulnerabilities, including two actively exploited zero-day flaws.
Microsoft Patch Tuesday security updates for November 2024 fixed 89 vulnerabilities in Windows and Windows Components; Office and Office Components; Azure; .NET and Visual Studio; LightGBM; Exchange Server; SQL Server; TorchGeo; Hyper-V; and Windows VMSwitch.
Four of these vulnerabilities are rated Critical, 84 are rated Important, and one is rated Moderate in severity. Microsoft has addressed a total of 949 vulnerabilities this year.
“Microsoft lists three of these CVEs as publicly known, but I disagree and put the count at five (more on that later).” reads the post published by the Zero Day Initiative. “They also list two as being exploited in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerabilities currently under active attack:”
Two of the vulnerabilities, tracked as CVE-2024-43451 and CVE-2024-49039, are listed as being exploited in the wild at the time of release. Below are the descriptions for these two vulnerabilities:
- CVE-2024-43451: An NTLM Hash Disclosure Spoofing vulnerability in MSHTML allows attackers to extract a user’s NTLMv2 hash via Internet Explorer components in WebBrowser control. Although user interaction is needed, attackers can still exploit this to impersonate the victim. Immediate patching is recommended.
- CVE-2024-49039: A Windows Task Scheduler privilege escalation flaw allows AppContainer escape, enabling low-privileged users to run code at Medium integrity. Discovered by multiple researchers, it is actively exploited, especially across different regions, highlighting its potential impact.
The most severe vulnerability addressed by the IT giant is an Azure CycleCloud Remote Code Execution issue tracked as CVE-2024-43602 (CVSS score of 9.9). An attacker with basic user permissions can exploit Azure CycleCloud by sending crafted requests to gain root access, allowing command execution across clusters and potential administrator credential compromise.
Microsoft also addressed a .NET and Visual Studio Remote Code Execution issue tracked as CVE-2024-43498 (CVSS score 9.8). CVE-2024-43498 allows remote code execution via crafted requests to .NET web apps or files loaded by desktop apps.
The full list of vulnerabilities Microsoft addresses with Patch Tuesday security updates for November 2024 is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Patch Tuesday)
