Microsoft fixes dozens of security flaws in Windows and Office
November’s Patch Tuesday has finally come, and with it Microsoft has eliminated 89 security vulnerabilities across Windows and other Microsoft apps and services. Four of those vulnerabilities are classified as “critical” and all but one of the remaining vulnerabilities are “high risk.”
According to Microsoft, two Windows vulnerabilities were already being exploited in the wild, with a total of six zero-day security flaws fixed in this patch. As of now, even without December, 2024 is already the year with the second most vulnerabilities patched.
Microsoft doesn’t offer any details on these vulnerabilities in the Security Update Guide, but fortunately Dustin Childs covers it all in a much clearer way on the Zero Day Initiative blog, always with an eye for admins who manage corporate networks.
On top of all this, Microsoft has released a new version of the Windows Malicious Software Removal Tool, which you can use to find malware threats on your system and reverse any damage they’ve caused.
Windows security flaws patched
A large proportion of the overall vulnerabilities patched — 37 in total — were spread across various Windows versions, including Windows 10, Windows 11, and Windows Server.
Windows 7 and Windows 8.1 aren’t getting security updates anymore, so they are likely still vulnerable. If your system requirements support it, you should upgrade to Windows 10 (22H2) or Windows 11 (23H2) in order to continue receiving security updates.
Note that Windows 10 will no longer be supported come next year, so you may want to skip that one and go straight to Windows 11 if you can. And while the Windows 11 24H2 update is already available, it’s causing all kinds of problems, so you might want to stick to 23H2 for now.
Critical Windows security vulnerabilities
According to Microsoft, there are already attacks in the wild on two Windows security vulnerabilities: CVE-2024-43451 is a spoofing gap in the old MSHTML platform that allows an attacker to log in as the user, and CVE-2024-49039 allows malicious code to break out of an app container and cause at least limited damage. In combination with other flaws that grant higher rights, such an attack could have a much greater impact.
Microsoft classifies the RCE (Remote Code Execution) vulnerability CVE-2024-43639 in the Kerberos protocol as critical, as an attacker could execute code remotely and without user interaction. As Kerberos runs with elevated authorizations, this bug could be wormable (meaning malicious code could move from server to server in a network).
The RCE vulnerability CVE-2024-43498 in .NET and Visual Studio, which has been designated as critical, lets an attacker send a specially crafted request to a vulnerable .NET web app to inject and execute code.
The Windows telephony service has seven vulnerabilities that Microsoft fixed in this patch, with six of them being RCE vulnerabilities and the last vulnerability being an EoP (Elevation of Privilege) vulnerability that could give an attacker elevated privileges.
Office security flaws patched
Microsoft has eliminated eight vulnerabilities across its Office products. These include seven RCE vulnerabilities, of which five are in Excel. The eighth Office vulnerability is an SFB (Security Feature Bypass) vulnerability that affects Word, allowing the protected Office view to be bypassed with a specially prepared Word document.
SQL Server security flaws patched
Microsoft’s SQL Server alone accounts for more than a third of the vulnerabilities patched in November. These include 31 RCE vulnerabilities categorized as high risk.
In most cases, an attack would require a vulnerable system to be connected to a prepared database, which is unlikely to happen. But in the case of CVE-2024-49043, we advise reading the security report because an update of the OLE DB driver is also required here, and updates from third-party providers may also be necessary.
Further reading: Must-know Windows 11 security settings to tweak