November 2024 Patch Tuesday: 89 Vulnerabilities Addressed, Major Threats Identified

  • Thread Author
Every second Tuesday of the month, a certain sense of dread rises amongst Windows users. This is the day Microsoft releases its cumulative patches, lovingly dubbed "Patch Tuesday." And as of November 2024, this batch is no small potato; a whopping 89 patches affecting 14 product families were issued, with a particular spotlight on Windows components. The metaphorical spigot of software security now flows with fresh fixes, making it crucial for users to stay informed and proactive.

The Scope of the Update​

By the Numbers​

The latest Patch Tuesday event has led to:
  • Total CVEs Addressed: 89
  • Publicly Disclosed Vulnerabilities: 3
  • Exploits Detected: 2
Severity has ranged from critical to moderate, with 3 critical, 85 important, and 3 moderate vulnerabilities. These updates are not just for show; they represent significant threats that could lead to Remote Code Execution (RCE), Denial of Service (DoS), and even Elevation of Privilege (EoP). Here's the breakdown:
  • Remote Code Execution (RCE): 52 vulnerabilities
  • Elevation of Privilege (EoP): 27 vulnerabilities
  • Denial of Service (DoS): 4 vulnerabilities
  • Spoofing: 3 vulnerabilities
  • Security Feature Bypass: 2 vulnerabilities
  • Information Disclosure: 1 vulnerability

Critical Threats to Address​

Two of the vulnerabilities (CVE-2024-49039 and CVE-2024-43451) are already found to be exploited in the wild. The first, a serious EoP vulnerability with a CVSS score of 8.8, poses a grave risk to organizations. The second, rated at 6.5, allows attackers to exploit systems that have been compromised already.
In total, 31 vulnerabilities are related to SQL Server, illustrating the enormous responsibility administrators and businesses have to ensure their SQL instances are secure. Other affected product families include Microsoft 365 Apps, Visual Studio, and even Azure, signalling an expansive risk landscape.

Noteworthy Vulnerabilities and Specific Cases​

Here are a few of the key vulnerabilities users should take particular notice of:
  • CVE-2024-5535: An RCE in OpenSSL, with a staggering CVSS base score of 9.1. What's alarming is that this vulnerability can be exploited via email, even if the target user does not take action on a potentially malicious message. This indicates that the threat model has evolved; attackers don’t even need their victims to take the bait!
  • CVE-2024-49040: A critical spoofing vulnerability in Microsoft Exchange Server, it has the potential to affect countless enterprises relying on this service for secure communication.
  • CVE-2024-43625: A critical EoP vulnerability in Windows VMSwitch, potentially allowing attackers to gain higher privileges on compromised systems.

The Importance of Timely Updates​

Patch Tuesday is like a monthly reminder to check in with your system's health. In light of the escalating threats, especially concerning ransomware and widespread cyberattacks, regular updates have transitioned from "good practice" to "vital necessity."
Users can download these updates manually if the automatic windows update cycle seems sluggish. After running winver.exe to check system builds, visiting the Windows Update Catalog will allow users to find specific cumulative update packages for their architecture and build.

A Broader Context​

As we approach the end of 2024, it’s worth noting that this year has already surpassed last year's total vulnerabilities patched, with 942 in 2024 against 931 in 2023. This spike serves as a wake-up call, reminding us that as cyber threats evolve, so do the efforts needed to combat them.

Security Is a Shared Responsibility​

With this month’s extensive updates, organizations and users alike should be practicing rigorous security hygiene, acting swiftly to implement these patches. As we march further into the digital age, understanding these vulnerabilities—and your role in addressing them—cannot be overstated.
In summary, don’t let November’s heavy patch load bring you down! Stay informed, update your systems, and remain vigilant against potential threats. The safety of your digital realm depends on it!

Source: Sophos News November Patch Tuesday loads up everyone’s plate