Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.
The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler that allows an attacker to increase their privileges on a Windows machine. Microsoft credits Google’s Threat Analysis Group with reporting the flaw.
The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451, a spoofing flaw that could reveal Net-NTLMv2 hashes, which are used for authentication in Windows environments.
Satnam Narang, senior staff research engineer at Tenable, says the danger with stolen NTLM hashes is that they enable so-called “pass-the-hash” attacks, which let an attacker masquerade as a legitimate user without ever having to log in or know the user’s password. Narang notes that CVE-2024-43451 is the third NTLM zero-day so far this year.
“Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems,” Narang said.
The two other publicly disclosed weaknesses Microsoft patched this month are CVE-2024-49019, an elevation of privilege flaw in Active Directory Certificate Services (AD CS); and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server.
Ben McCarthy, lead cybersecurity engineer at Immersive Labs, called special attention to CVE-2024-43639, a remote code execution vulnerability in Windows Kerberos, the authentication protocol that is heavily used in Windows domain networks.
“This is one of the most threatening CVEs from this patch release,” McCarthy said. “Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain.”
McCarthy also pointed to CVE-2024-43498, a remote code execution flaw in .NET and Visual Studio that could be used to install malware. This bug has earned a CVSS severity rating of 9.8 (10 is the worst).
Finally, at least 29 of the updates released today tackle memory-related security issues involving SQL server, each of which earned a threat score of 8.8. Any one of these bugs could be used to install malware if an authenticated user connects to a malicious or hacked SQL database server.
For a more detailed breakdown of today’s patches from Microsoft, check out the SANS Internet Storm Center’s list. For administrators in charge of managing larger Windows environments, it pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.
As always, if you experience any problems applying any of these updates, consider dropping a note about it in the comments; chances are excellent that someone else reading here has experienced the same issue, and maybe even has found a solution.
Got the message “Get the newer version of windows to stay up to date. Your version of windows has reached end of service.” Comes up on windows update page.
I have Windows 11 Pro 23H2 Installed 27/08/2024 22631.4460 Windows Feature Experience Pack 1000.22700.1047.
Hopeless.
Lol I wonder if someone forgot to change the year on the end of support. Supposed to be Nov 11 2025, but maybe they accidently set it to Nov 11 2024.
Feel lucky it didn’t update you to server 2025.
You linked the wrong CVE to Ben for Kerberos, it is actually https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43639
Interesting, Bruce. You have a slightly newer system package installed than I do, yet we get the exact message. Try to stay hopeful, the IT sector – as are many other sectors – are in constant and even more rapid flux these days especially in the polycrisis as I’m sure you’re already well spun up on. I’m trying to find silver linings where possible; for example, in spite of the “end of service” message with a slightly older system package than yours, I’m still getting system updates.
Take what you want from this: I’ve found it quite helpful to report these technical glitches to the companies’ service centers/help desks. Some 3rd party software such as antivirus, antimalware, communications, etc., etc. can cause interference and glitches especially if they reside on the cloud versus locally. These companies and their personnel are just not as omnipotent as we assume they are unless we, the community of users, communicate aberrations with them. Doing so will help them help us (better at least, though ideally I think we all wish for instantaneous fixes). It’s similar to a visit to the doctor: communicate what’s been happening, how long has it been going on, describe the signs and symptoms, when it happens, and detail the steps of what you’ve done to try to remedy it.