For November, Patch Tuesday includes three Windows zero-day fixes

Microsoft’s November Patch Tuesday release addresses 89 vulnerabilities in Windows, SQL Server, .NET and Microsoft Office — and three zero-day vulnerabilities (CVE-2024-43451, CVE-2024-49019 and CVE-2024-49039) that mean a patch now recommendation for Windows platforms. Unusually, there are a significant number of patch “re-releases” that might also require administrator attention. 

The team at Readiness has provided this infographic outlining the risks associated with each of the updates for this cycle.  (For a rundown of recent Patch Tuesday updates, see Computerworld‘s round-up here.

Known issues 

There were a few reported issues for the September update that have been addressed now, including:

• Enterprise customers are reporting issues with the SSH service failing to start on updated Windows 11 24H2 machines. Microsoft recommended updating the file/directory level permissions on the SSH program directories (remember to include the log files). You can read more about this official workaround here. 

It looks like we are entering a new age of ARM compatibility challenges for Microsoft. However, before we get ahead of ourselves, we really need to sort out the (three-month old) Roblox issue.

Major revisions 

This Patch Tuesday includes the following major revisions: 

• CVE-2013-390: WinVerifyTrust Signature Validation Vulnerability. This update was originally published in 2013 via TechNet. This update is now made available and is applicable to Windows 10 and 11 users due to a recent change in the EnableCertPaddingCheck Windows API call. We highly recommend a review of this CVE and its associated Q&A documentation. Remember: if you must set your values in the registry, ensure that they are type DWORD not Reg SZ.
• CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability. When Microsoft updates a CVE (twice) in the same week, and the vulnerability has been publicly disclosed, it’s time to pay attention. Before you apply this Exchange Server update, we highly recommend a review of the reportedheader detection issues and mitigating factors.

And unusually, we have three kernel mode updates (CVE-2024-43511, CVE-2024-43516 and CVE-2024-43528 that were re-released in October and updated this month.  These security vulnerabilities exploit a race condition in Microsoft’s Virtualization Based Security (VBS). It’s worth a review of the mitigating strategies while you thoroughly test these low-level kernel patches. 

Testing guidance

Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on Windows platforms and application installations.

For this release cycle, we have grouped the critical updates and required testing efforts into separate product and functional areas including:

Networking: 

• Test end-to-end VPN, Wi-Fi, sharing and Bluetooth scenarios. 
• Test out HTTP clients over SSL.
• Ensure internet shortcut files (ICS) display correctly

Security/crypto: 

• After installing the November update on your Certificate Authority (CA) servers, ensure that enrollment and renewal of certificates perform as expected.
• Test Windows Defender Application Control (WDAC) and ensure that line-of-business apps are not blocked. Ensure that WDAC functions as expected on your Virtual Machines (VM).

Filesystem and logging:

• The NTFileCopyChunk API was updated and will require internal application testing if directly employed. Test the validity of your parameters and issues relating to directory notification.

I cannot claim to have any nostalgia for dial-up internet access (though I do have a certain Pavlovian response to the dial-up handshake sound). For those who are still using this approach to access the internet, the November update to the TAPI API has you in mind. A “quick” (haha) test is required to ensure you can still connect to the internet via dial-up once you update your system.

Windows lifecycle and enforcement updates

There were no product or security enforcements this cycle. However, we do have the following Microsoft products reaching their respective end of servicing terms:

• Oct. 8, 2024: Windows 11 Enterprise and Education, Version 21H2, Windows 11 Home and Pro, Version 22H2, Windows 11 IoT Enterprise, Version 21H2.
• Oct. 9, 2024: Microsoft Project 2024 (LTSC)

Mitigations and workarounds 

Microsoft published the following mitigations applicable to this Patch Tuesday.

• CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability. As this vulnerability has been publicly disclosed, we need to take it seriously. Microsoft has offered some mitigation strategies during the update/testing/deployment for most enterprises that include:
• Remove overly broad enroll or auto-enroll permissions.
• Remove unused templates from certification authorities.
• Secure templates that allow you to specify the subject in the request.

As most enterprises employ Microsoft Active Directory, we highly recommend a review of this knowledge note from Microsoft. 

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server); 
• Microsoft Office;
• Microsoft Exchange Server;
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);
• Adobe (if you get this far).

Browsers 

Microsoft released a single update specific to Microsoft Edge (CVE-2024-49025), and two updates for the Chromium engine that underpins the browser (CVE-2024-10826 and CVE-2024-10827). There’s a brief note on the browser update here. We recommend adding these low-profile browser updates to your standard release schedule.

Windows 

Microsoft released two (CVE-2024-43625 and CVE-2024-43639) patches with a critical rating and another 35 patches rated as important by Microsoft. This month the following key Windows features have been updated:

• Windows Update Stack (note: installer rollbacks may be an issue);
• NT OS, Secure Kernel and GDI;
• Microsoft Hyper-V;
• Networking, SMB and DNS;
• Windows Kerberos.

Unfortunately, these Windows updates have been publicly disclosed or reported as exploited in the wild, making them zero-day problems:

• CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability.
• CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege.
• CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability.

Add these Windows updates to your Patch Now release cadence. 

Microsoft Office 

Microsoft pushed out six Microsoft Office updates (all rated important) that affect SharePoint, Word and Excel. None of these reported vulnerabilities involve remote access or preview pane issues and have not been publicly disclosed or exploited in the wild. Add these updates to your standard release schedule.

Microsoft SQL (nee Exchange) Server 

You want updates to Microsoft SQL Server? We got ‘em: 31 patches to the SQL Server Native client this month. That’s a lot of patches, even for a complex product like Microsoft SQL Server. These updates appear to be the result of a major clean-up effort from Microsoft addressing the following reported security vulnerabilities:

• CWE-122: Heap-based Buffer Overflow
• CWE-416: Use After Free

The vast majority of these SQL Server Native Client updates address the CWE-122 related buffer overflow issues. Note: these patches update the SQL Native client, so this is a desktop, not a server, update. Crafting a testing profile for this one is a tough call. No new features have been added, and no high-risk areas have been patched. However, many internal line-of-business applications rely on these SQL client features. We recommend that your core business applications be tested before this SQL update, otherwise add it to your standard release schedule. 

Boot note: Remember that there is a major revision to CVE-2024-49040 — this could affect the SQL Server “server” side of things.

Microsoft development platforms

Microsoft released one critical-rated update (CVE-2024-43498) and three updates rated as important for Microsoft .NET 9 and Visual Studio 2022. These are pretty low-risk security vulnerabilities and very specific to these versions of the development platforms. They should present a reduced testing profile. Add these updates to your standard developer schedule this month.

Adobe Reader (and other third-party updates)

Microsoft did not publish any Adobe Reader-related updates this month. The company  released three non-Microsoft CVEs covering Google Chrome and SSH (CVE-2024-5535). Given the update to Windows Defender (as a result of the SSH issue), Microsoft also published a list of Defender vulnerabilities and weaknesses that might assist with your deployments.