Microsoft’s November Patch Tuesday release addresses 89 vulnerabilities in Windows, SQL Server, .NET, and Microsoft Office, and three zero-day vulnerabilities (CVE-2024-43451, CVE-2024-49019 and CVE-2024-49039) which mean a patch recommendation now for Windows platforms. Unusually, there are a significant number of patch “rereleases” that may also require administrator attention.
The team in Preparation has provided this infographic describing the risks associated with each of the updates for this cycle. (For a summary of recent Patch Tuesday updates, see Computer worldThe summary is here.
Known issues
Some issues were reported for the September update that have now been fixed, including:
- Business customers report problems with the SSH The service does not start on updated Windows 11 24H2 machines. Microsoft recommended updating file/directory level permissions on SSH program directories (remember to include log files). You can read more about this official solution. here.
It seems we are entering a new era of ARM Compatibility Challenges for Microsoft. However, before we get ahead of ourselves, we really need to solve the (three-month) problem. roblox problem.
Important revisions
This Patch Tuesday includes the following major hotfixes:
- CVE-2013-390: WinVerifyTrust signature validation vulnerability. This update was originally published in 2013 via TechNet. This update is now available and applies to Windows 10 and 11 users due to a recent change in the EnableCertPaddingCheck Windows API call. We strongly recommend a review of this CVE and its associates. Question and answer documentation. Remember: if you must set your values in the registry, make sure they are of type DWORD, not Reg SZ.
- CVE-2024-49040: Microsoft Exchange Server phishing vulnerability. When Microsoft updates a CVE (twice) in the same week and the vulnerability is publicly disclosed, it’s time to pay attention. Before applying this Exchange Server update, we strongly recommend that you review the reportsheader detection problems and mitigating factors.
And, unusually, we have three kernel-mode updates (CVE-2024-43511, CVE-2024-43516 and CVE-2024-43528 which were re-released in October and updated this month. These security vulnerabilities exploit a race condition in Microsoft Virtualization-Based Security (VBS). It is worth checking the mitigation strategies while thoroughly testing these low-level kernel patches.
Test guide
Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, hands-on testing guidance based on a large portfolio of applications and a detailed analysis of patches and their potential impact on Windows platforms and application installations.
For this release cycle, we have grouped critical updates and required testing efforts into separate functional and product areas, including:
Networks:
- Test end-to-end VPN, Wi-Fi, sharing, and Bluetooth scenarios.
- Find out HTTP clients via SSL.
- Make sure the Internet Shortcut Files (ICS) display correctly
Security/crypto:
- After you install the November update on your certificate authority (California), ensure that certificate enrollment and renewal proceed as expected.
- Try Windows Defender Application Control (WDAC) and make sure line-of-business applications are not blocked. Make sure WDAC works as expected on your virtual machines (VMs).
File system and registry:
- He NTFileCopyChunk The API has been updated and will require internal application testing if used directly. Test the validity of your parameters and issues related to directory notification.
I can’t claim to have any nostalgia for dial-up Internet access (although I have a certain Pavlovian response to the dial-up handshake sound). For those still using this method to access the Internet, the November update of the TAPI API has you in mind. A “quick” test (haha) is required to ensure you can still connect to the Internet via dial-up once you upgrade your system.
Application updates and Windows lifecycle
There were no security or product applications in this cycle. However, we have the following Microsoft products reaching the end of their respective terms of service:
- October 8, 2024: Windows 11 Enterprise and Education version 21H2, Windows 11 Home and Pro version 22H2, Windows 11 IoT Enterprise version 21H2.
- October 9, 2024: Microsoft Project 2024 (LTSC)
Mitigations and solutionsyes
Microsoft published the following mitigations applicable to this Patch Tuesday.
- CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability. As this vulnerability has been publicly disclosed, we must take it seriously. Microsoft has offered some mitigation strategies during upgrade/testing/deployment for most businesses including:
- Remove overly broad enrollment or auto-enrollment permissions.
- Delete unused certification authority templates.
- Secure templates that allow you to specify the subject of the request.
Since most companies use Microsoft Active Directory, we highly recommend a review of this knowledge note from Microsoft.
Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange Server;
- Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core);
- Adobe (if you get this far).
Browsers
Microsoft released a single specific update for Microsoft Edge (CVE-2024-49025) and two updates to the Chromium engine that underpins the browser (CVE-2024-10826 and CVE-2024-10827). There is a brief note on the browser update here. We recommend adding these low-profile browser updates to your standard release schedule.
windows
Microsoft released two (CVE-2024-43625 and CVE-2024-43639) patches rated critical and 35 other patches rated important by Microsoft. The following key Windows features were updated this month:
- Windows Update stack (note: installer rollbacks can be a problem);
- NT operating system, Secure Kernel and GDI;
- Microsoft Hyper-V;
- Networks, SMB and DNS;
- Windows Kerberos.
Unfortunately, these Windows updates have been publicly disclosed or reported to be exploited in the wild, making them zero day problems:
- CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability.
- CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege.
- CVE-2024-49039: Windows Task Scheduler elevation of privilege vulnerability.
Add these Windows updates to your Patch now release cadence.
microsoft office
Microsoft released six Microsoft Office updates (all considered major) affecting SharePoint, Word, and Excel. None of these reported vulnerabilities involve remote access or issues with the preview panel and have not been publicly disclosed or exploited in the wild. Add these updates to your standard release schedule.
Microsoft SQL Server (nee Exchange)
Want Microsoft SQL Server updates? We’ve got them: 31 patches for the SQL Server Native client this month. That’s a lot of patches, even for a complex product like Microsoft SQL Server. These updates appear to be the result of a major cleanup effort by Microsoft that addressed the following reported security vulnerabilities:
The vast majority of these Native SQL Server Client The updates address the CWE-122 problems related to buffer overflow. Note: These patches update the SQL Native client, so this is a desktop update, not a server update. Putting together a test profile for this is a difficult decision. No new features have been added and no high-risk areas have been patched. However, many internal line-of-business applications depend on these SQL client functions. We recommend that your core business applications be tested before this SQL update; otherwise, add them to your standard release schedule.
Boot Note: Remember there is an important revision CVE-2024-49040 – This could affect the “server” side of SQL Server.
microsoft development platforms
Microsoft released an update with a critical rating (CVE-2024-43498) and three updates considered important for Microsoft .NET 9 and Visual Studio 2022. These are fairly low-risk security vulnerabilities and very specific to these versions of the development platforms. They should present a reduced test profile. Add these updates to your standard developer programming this month.
Adobe Reader (and other third-party updates)
Microsoft did not release any updates related to Adobe Reader this month. The company released three non-Microsoft CVEs covering Google Chrome and SSH (CVE-2024-5535). Given the upgrade to Windows Defender (as a result of the SSH issue), Microsoft also published a list of Defender vulnerabilities and weaknesses that could help you with your implementations.