Microsoft and Adobe Patch Tuesday, November 2024 Security Update Review

Diksha Ojha

Last updated on: November 13, 2024

Microsoft has released its November 2024 Patch Tuesday updates, targeting various vulnerabilities that could impact users and organizations worldwide. From zero-day threats to key product patches, here’s what’s crucial to apply this month. Here’s a breakdown of the updates and how they impact your security posture.

Microsoft Patch Tuesday for November 2024

Microsoft Patch’s Tuesday, November 2024 edition addressed 92 vulnerabilities, including four critical and 83 important severity vulnerabilities. This month’s updates also included one Defense in Depth update for Microsoft SharePoint Server.

In this month’s updates, Microsoft addressed four zero-day vulnerabilities. Two of these vulnerabilities, CVE-2024-49039 and CVE-2024-43451, are known to be exploited in the wild.

Microsoft has addressed two vulnerabilities in Microsoft Edge (Chromium-based) in this month’s updates. 

Microsoft Patch Tuesday, November edition includes updates for vulnerabilities in .NET and Visual Studio, Windows Hyper-V, SQL Server, Windows Kerberos, Windows Kernel, Windows NT OS Kernel, Windows DWM Core Library, Windows Active Directory Certificate Services, and more.

Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Security Feature Bypass, and Remote Code Execution (RCE).

The November 2024 Microsoft vulnerabilities are classified as follows:

Vulnerability CategoryQuantitySeverities
Spoofing Vulnerability3Important: 3
Denial of Service Vulnerability4Important: 4
Elevation of Privilege Vulnerability26Critical: 2
Important: 24
Information Disclosure Vulnerability1Important: 1
Remote Code Execution Vulnerability52Critical: 1
Important: 51
Security Feature Bypass Vulnerability2Important: 2

Adobe Patches for November 2024

Adobe has released eight security advisories to address 48 vulnerabilities in Adobe Bridge, Adobe Audition, Adobe After Effects, Substance 3D Painter, Adobe Illustrator, Adobe InDesign, Adobe Photoshop, and Adobe Commerce. 28 vulnerabilities are given critical severity ratings. Successful exploitation of these vulnerabilities may lead to arbitrary code execution.

Zero-day Vulnerabilities Patched in November Patch Tuesday Edition

CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability

An NTLM hash is a cryptographic format that stores user passwords on Windows systems. It’s a key part of the authentication process for users and computers on domains, home networks, and workgroup networks.

Upon successful exploitation, an attacker may disclose a user’s NTLMv2 hash to the attacker, who could use this to authenticate as the user.

CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before December 3, 2024.

CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability

Microsoft Exchange Server is a mail and calendaring server that runs exclusively on Windows. Exchange Server includes calendaring software, email, and a place to manage contacts.

Microsoft has not provided any information about the vulnerability.

CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability

Active Directory Certificate Services (AD CS) is a Windows server role that manages and issues public key infrastructure (PKI) certificates. These certificates authenticate users, devices, and computers on a network and encrypt and digitally sign messages and documents.

An attacker may gain domain administrator privileges on successful exploitation.

CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability

Task Scheduler is a built-in Windows utility that allows users to automate the execution of programs, scripts, and various tasks at specific intervals or specific events. It simplifies the process of running repetitive tasks, managing background processes, and scheduling maintenance activities on a computer.

An authenticated attacker may exploit the vulnerability to run a specially crafted application on the target system. Upon successful exploitation, an attacker may execute RPC functions restricted to privileged accounts only.

CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before October 29, 2024.

Critical Severity Vulnerabilities Patched in November Patch Tuesday Edition

CVE-2024-43625: Microsoft Windows VMSwitch Elevation of Privilege Vulnerability 

A Microsoft Windows VMSwitch, or virtual switch, is a software program that allows virtual machines (VMs) to communicate with each other and physical networks. VMSwitches are available in Hyper-V Manager when the Hyper-V server role is installed.

Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and prepare the target environment. Upon successful exploitation, an attacker may gain SYSTEM privileges.

CVE-2024-43639: Windows Kerberos Remote Code Execution Vulnerability

Windows Kerberos is a protocol that verifies user and host identities on a network. Kerberos uses a Key Distribution Center (KDC) and symmetric key cryptography to authenticate users. It assumes that transactions between clients and servers occur on an open network, where packets can be monitored and modified.

An unauthenticated attacker could use a specially crafted application to exploit a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.

CVE-2024-49056: Airlift.microsoft.com Elevation of Privilege Vulnerability

The authentication bypass vulnerability by assumed-immutable data on airlift.microsoft.com may allow an authorized attacker to elevate privileges over a network.

CVE-2024-43498: .NET and Visual Studio Remote Code Execution Vulnerability

A remote unauthenticated attacker may exploit this vulnerability by sending specially crafted requests to a vulnerable .NET webapp or loading a specially crafted file into a vulnerable desktop app.

Other Microsoft Vulnerability Highlights

  • CVE-2024-43623 is an elevation of privilege vulnerability in Windows NT OS Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
  • CVE-2024-43630 is an elevation of privilege vulnerability in Windows Kernel. Upon successful exploitation, an attacker may gain SYSTEM privileges.
  • CVE-2024-43629 is an elevation of privilege vulnerability in Windows DWM Core Library. An attacker may exploit the vulnerability to gain SYSTEM privileges.
  • CVE-2024-43636 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
  • CVE-2024-43642 is a denial-of-service vulnerability in Windows SMB. An attacker may exploit the vulnerability to create a denial-of-service (DoS) attack.
  • CVE-2024-49033 is a security feature bypass vulnerability in Microsoft Word. Successful exploitation of the vulnerability may allow an attacker to bypass specific functionality of the Office Protected View.

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Package Library Manager, SQL Server, Microsoft Virtual Hard Drive, Windows SMBv3 Client/Server, Windows USB Video Driver, Microsoft Windows DNS, Windows NTLM, Windows Registry, .NET and Visual Studio, Windows Update Stack, LightGBM, Azure CycleCloud, Azure Database for PostgreSQL, Windows Telephony Service, Windows NT OS Kernel, Windows Hyper-V, Windows VMSwitch, Windows DWM Core Library, Windows Kernel, Windows Secure Kernel Mode, Windows Kerberos, Windows SMB, Windows CSC Service, Windows Defender Application Control (WDAC), Windows Active Directory Certificate Services, Microsoft Office Excel, Microsoft Graphics Component, Microsoft Office Word, Windows Task Scheduler, Microsoft Exchange Server, Visual Studio, Windows Win32 Kernel Subsystem, TorchGeo, Visual Studio Code, Microsoft PC Manager, Airlift.microsoft.com, Microsoft Edge (Chromium-based), and Microsoft Defender for Endpoint.

Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)

Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).

You can see all your impacted hosts by these vulnerabilities using the following QQL query:

vulnerabilities.vulnerability: ( qid: 110480 or qid: 110481 or qid: 382336 or qid: 50139 or qid: 92186 or qid: 92187 or qid: 92188 or qid: 92189 or qid: 92190 or qid: 92191 or qid: 92192 or qid: 92193) 

Rapid Response with Patch Management (PM)

VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.

The following QQL will return the missing patches for this Patch Tuesday:

( qid: 110480 or qid: 110481 or qid: 382336 or qid: 50139 or qid: 92186 or qid: 92187 or qid: 92188 or qid: 92189 or qid: 92190 or qid: 92191 or qid: 92192 or qid: 92193) 

EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)

With Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now, these security controls are not recommended by any industry standards such as CIS, DISA-STIG.

Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.

Mitigation refers to a setting, common configuration, or general best practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.

A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.

The following Qualys Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:

CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability

This vulnerability has a CVSS: 3.1 7.8 / 6.8

Policy Compliance Control IDs (CIDs):

  • 10018 Status of the ‘Certificate Services Client – Auto Enrollment: Enroll user and computer certificates automatically’ setting
  • 27406 Status of the ‘Certificate Templates can be edited by Everyone’ on the domain
  • 27409 Status of the ‘Authentication Certificate Templates allow users to control the subject’ on the host
  • 28125 Status of the ‘Certificate templates’ configured on the host

The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:

control.id: [10018,27406,27409,28125]

The next Patch Tuesday falls on December 10, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to “This Month in Vulnerabilities and Patch’s webinar.’

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are a part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.


Join the webinar

This Month in Vulnerabilities & Patches

Show Comments (2)

Comments

Your email address will not be published. Required fields are marked *

  1. Diksha,

    Thanks for your post! The Microsoft patch tuesday has only 2 vulnerabilities that are known to be exploited: CVE-2024-49039 and CVE-2024-43451.

    In the links provided for CVE-2024-49040 and CVE-2024-49019, Microsoft set the value of exploited to No.

  2. Based on the CVE IDs currently listed in this blog, Qualys’ Knowledgebase (at the time of this post) provides the following QIDs that can be used for rapid patch management:

    (qid: 92189 or qid: 92186 or qid: 50139 or qid: 92190 or qid: 92187 or qid: 110480)