Microsoft's November 2024 Patch Tuesday fixed 91 vulnerabilities, including four zero-days. Two were already being exploited in the wild, so this was not one to put off. If you run Windows, here is what mattered and why.
The headline issues were an NTLM hash disclosure bug and a privilege escalation flaw in Windows Task Scheduler, both of which can hand an attacker more access than they should have. Windows 10 and 11 machines were the ones to patch first.
The four zero-days
- CVE-2024-49039. Found by Google's Threat Analysis Group. A malicious app can raise its own privileges and reach areas it should not. It needs a specially built app to pull off, but the payoff for an attacker is high.
- CVE-2024-43451. Flagged by ClearSky. A user clicking, or even right-clicking, a malicious file can leak their NTLMv2 hash, which is most of the way to their credentials. Microsoft later said it may not have been actively exploited, but it is still worth closing.
- CVE-2024-49040. An Exchange Server flaw that lets an attacker spoof the sender of an email, so a phishing message can look like it came from your boss.
- CVE-2024-49019. Abuse of old version 1 certificate templates to gain domain administrator rights. That is about as bad as access gets.
What to actually do
- Patch. Get the November 2024 updates onto every Windows machine and server, not just the easy ones.
- Remind your team that a single click is enough for some of these, so train on suspicious files and emails.
- Tighten access so one compromised account cannot reach everything.
Zero-days are valuable to attackers precisely because there is no fix yet, so the gap between a patch dropping and you installing it is the risky part. Staying current with patches is still one of the cheapest, most effective things you can do. If patching across your machines keeps falling through the cracks, that is something I manage for clients.
References: the Microsoft update guide and the MSRC November 2024 release notes.