Welcome to the Patch Tuesday update for November 2024, which lists fixes for 89 vulnerabilities. This month, there are four zero-day vulnerabilities, of which two are being actively exploited.

After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.

Why is Patch Tuesday important?

Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually, zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.

November 2024 Patch Tuesday

Security updates lineup  

Here is a breakdown of the vulnerabilities fixed this month:

CVE IDs: 89

Republished CVE IDs: 3 (more details on this below)

Security updates were released for the following products, features, and roles:

  • Windows Package Library Manager

  • SQL Server

  • Microsoft Virtual Hard Drive

  • Windows SMBv3 Client/Server

  • Windows USB Video Driver

  • Microsoft Windows DNS

  • Windows NTLM

  • Windows Registry

  • .NET and Visual Studio

  • Windows Update Stack

  • LightGBM

  • Azure CycleCloud

  • Azure Database for PostgreSQL

  • Windows Telephony Service

  • Windows NT OS Kernel

  • Role: Windows Hyper-V

  • Windows VMSwitch

  • Windows DWM Core Library

  • Windows Kernel

  • Windows Secure Kernel Mode

  • Windows Kerberos

  • Windows SMB

  • Windows CSC Service

  • Windows Defender Application Control (WDAC)

  • Windows Active Directory Certificate Services

  • Microsoft Office Excel

  • Microsoft Graphics Component

  • Microsoft Office Word

  • Windows Task Scheduler

  • Microsoft Exchange Server

  • Visual Studio

  • Windows Win32 Kernel Subsystem

  • TorchGeo

  • Visual Studio Code

  • Microsoft PC Manager

  • Airlift.microsoft.com

 Learn more in the MSRC’s release notes.

Details of the zero-day vulnerabilities

Vulnerable component: Windows NTLM

Impact: Spoofing

CVSS 3.1: 6.5

This critical zero-day vulnerability enables attackers to capture a user’s NTLMv2 hash with minimal user interaction. This presents a security risk as it could allow unauthorized access to network resources. By simply selecting or right-clicking a malicious file, users may expose their NTLMv2 hash which could be used by an attacker to exploit for unauthorized authentication.

Speaking of the mitigation, Microsoft has issued an essential security patch to address this flaw, and users are strongly prompted to apply the latest patches/updates immediately. Enterprises and organizations should also educate the end users on the risks of interacting with unsolicited files. 

This vulnerability has been publicly disclosed and is being actively exploited.

Vulnerable component: Windows Task Scheduler

Impact: Elevation of Privilege

CVSS 3.1: 8.8

This zero-day vulnerability allows attackers to execute unauthorized code or gain access to resources at a higher privilege level than what’s typically allowed in a low-privilege AppContainer environment.

Threat actors can exploit this vulnerability to escalate privileges, permitting them to perform Remote Procedure Call functions which are normally restricted to privileged accounts and affect the Windows systems that rely on Task Scheduler.

This vulnerability is being actively exploited.

Vulnerable component: Microsoft Exchange Server

Impact: Spoofing

CVSS 3.1: 7.5

While Microsoft is aware of this vulnerability, much has not yet been released in the MSRC blog. However, they have released additional information about the steps to be performed or actions to be taken after the update.

This vulnerability has been publicly disclosed.

Vulnerable component: Windows Active Directory Certificate Services

Impact: Elevation of privilege

CVSS 3.1: 7.8

This zero-day is commonly referred to as ESC15 or “EKUwu.” By leveraging this vulnerability, attackers can exploit misconfigurations within certificate templates. This would potentially lead to unauthorized access and privilege escalation in the affected systems. By manipulating the Enhanced Key Usage (EKU) extensions, threat actors can also obtain certificates, providing them with elevated privileges.

This vulnerability has been publicly disclosed.

Third-party updates released after last month’s Patch Tuesday

Some third-party vendors such as Adobe, Cisco, Citrix, Dell, Siemens, SAP and Ivanti have also released updates this November.

Republished CVE IDs

Besides the vulnerabilities fixed in this month’s Patch Tuesday, Microsoft has also republished four CVE IDs. These are as follows:

Best practices to handle patch management in a hybrid work environment

Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.

Here are a few pointers to simplify the process of remote patching:

  • Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
  • Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
  • Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
  • Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
  • Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
  • Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
  • Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
  • Run patch reports to get a detailed view of the health status of your endpoints.

For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them. Install the latest updates and feature packs before deeming your back-to-office machines fit for production. Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.

With Endpoint CentralPatch Manager Plus, or Vulnerability Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.

Ready, get set, patch!