Patch Tuesday Shenanigans: Microsoft’s Latest Vulnerabilities and Unforeseen Upgrades
Ah, it’s November Patch Tuesday — that delightful time of year when Microsoft dishes out a banquet of vulnerabilities with a side of chaos for its admin diners. Buckle up, tech aficionados, because it turns out two Windows zero-days are crashing the party, and it sounds more dramatic than my last blind date. That didn’t go well, by the way, but let’s focus on the real ‘zeroes’ here!
Microsoft Corrects Two Windows Zero-Days
First up, we’ve got a sexy little number – a zero-day with the catchy name CVE-2024-49039 lurking in the Windows Task Scheduler, rated an impressive 8.8 on the CVSS scale. It’s like finding out your office coffee machine has been secretly letting in the espresso mafia. This vulnerability affects Windows 10 and, surprise surprise, the shiny new Windows Server 2025. And now it’s our job to fix it. Yay.
Then, there’s the second zero-day: CVE-2024-43451. This NTLM Hash Disclosure spoofing vulnerability, rated a humble 6.5 CVSS, has made quite the splash. This one’s like letting your kids loose on blast— it allows an attacker to snag a user’s NTLMv2 hash! If you’re wondering what that means, just think of it as giving the keys to your castle to a rogue jester. Spoiler alert: the castle might just become the most dangerous amusement park in town.
Chris Goettl from Ivanti is practically waving a giant red flag, saying that the rise of remote work has led to too many users getting admin rights, thanks to the frantic demands of IT departments who were caught in a whirlwind of “support me now!” during COVID. The result? A privilege escalation breadwinner with a side of potential disaster.
Microsoft Addresses Public Disclosures
Moving on, Microsoft isn’t just spilling tea; they’re spilling vulnerabilities like it’s 1999! Another zero-day on the docket is an Active Directory vulnerability, CVE-2024-49019, rated 7.8 CVSS. Grab your popcorn — with this one, an attacker could snatch domain admin privileges! What’s even more concerning is that it affects all versions of Windows Server since 2008. That’s a legacy support headache if I ever heard one!
Goettl has weighed in again, lamenting the shortage of savvy admins who can tango with this sort of infrastructure ballet. You might need a specialist to help keep your empire secure — a bit like calling in the Avengers because your TV froze at the best part of the series finale.
And let’s not overlook the Microsoft Exchange Server spoofing vulnerability, CVE-2024-49040. It has a CVSS score of 7.5, and Microsoft points out that without patching, your Exchange systems might just start handing out phishing emails like candy at a Halloween party. Oh, the irony! This vulnerability means your email life could turn into an all-you-can-eat buffet for not-so-great actors looking to exploit that unsuspecting domain user.
Chris has also cheekily pointed out that even after a banner warning appears on emails, some folks will still click through. Remember, curiosity may not just kill the cat; it’s also the reason why millions fall for phishing scams, creating a dangerous ecosystem that thrives like the envy of reality TV stars!
Other Security Updates of Note for November Patch Tuesday
Let’s not ignore the fact that Microsoft also dropped the ball with an OpenSSL flaw in the monthly release notes (thanks for keeping us on our toes!). In some cases, an attacker could slip a malicious email into a milk carton, run code on someone’s system, and only get labeled as “important” despite an impressive 9.1 CVSS rating. Is it just me, or does that seem a tad underwhelming? Goettl argues that Microsoft probably isn’t using the problematic parts of OpenSSL or has tucked them safely away like grandma hiding her secret cookie recipe.
And it gets even better—about a third of the November updates were for SQL Server! A whopping 31 CVEs mostly related to the connection driver. It feels suspiciously like a world-ending sci-fi Tolkien crossover where attackers trick users by connecting to a malicious SQL database. Pretty nice, right?
Unexpected Windows Server 2025 Upgrade Hits Admins
And now, the pièce de résistance: Microsoft unleashing Windows Server 2025 on November 1st without so much as a “how do you do.” Reports of unexpected upgrades from 2019 and 2022 versions have hit admins like a rogue wave, without a rollback option in sight. Imagine waking up to find that your trusted old servers have been mysteriously upgraded, leaving you with nothing but confusion and a hefty bill for a new license — not exactly how one dreams of upgrading, is it?
Microsoft claims the blame lies on third-party tools doing the heavy lifting for desktop and server management. So to all the admin heroes out there: remember that pointing fingers is just a game best left to toddlers; sometimes, it’s the software that needs a talking-to!
So, what have we learned today? Well, aside from learning that tech can be as unpredictable as my diet regime, it’s that staying on top of these vulnerabilities requires vigilance — like trying to find a clean pair of socks in a teenager’s room. The future may be bright, but without proper updates and patches, it could also be as bleak as the last time I tried online dating. So, literally and metaphorically, patch up, folks!
During the November Patch Tuesday, Microsoft has issued urgent advisories for organizations using Windows, urging them to promptly address two significant zero-day vulnerabilities. Particularly, enterprises operating on-premises Exchange Server must prioritize these patches to mitigate a serious spoofing vulnerability.
This latest Patch Tuesday update from Microsoft addresses a total of 88 new vulnerabilities, with four classified as critical. Among the two zero-day vulnerabilities, one has also been disclosed publicly. In total, Microsoft has released information regarding three publicly disclosed vulnerabilities.
Microsoft corrects two Windows zero-days
The first zero-day vulnerability (CVE-2024-49039) found in the Windows Task Scheduler has been rated important and carries a CVSS score of 8.8. This elevation-of-privilege vulnerability impacts all Windows 10 versions and subsequent releases, including the newly launched Windows Server 2025.
The second zero-day vulnerability, CVE-2024-43451, poses a risk of NTLM Hash Disclosure spoofing, also rated important with a CVSS score of 6.5. This particular vulnerability affects a vast range of Windows versions, extending from Windows Server 2008 to the latest releases of both desktop and server environments.
An attacker exploiting this vulnerability could potentially disclose the NTLMv2 hash associated with a user’s domain authentication, thereby granting the attacker equivalent privileges.
Chris Goettl, the vice president of security product management at Ivanti, highlighted the severity of this exploitation, particularly if users possess administrative rights. He noted that the trend of granting users elevated access privileges began during the COVID-19 pandemic to alleviate pressures on IT resources.
The challenges faced by IT departments during the pandemic included limited access to support services, resulting in more privileges being granted to users. “When users were no longer on the network, they had less access to the service desk and local support, which added to the support costs within the organization,” commented Goettl.
Microsoft addresses public disclosures
The second public disclosure includes an elevation-of-privilege vulnerability in Active Directory Certificate Services, identified as CVE-2024-49019 and rated important with a CVSS score of 7.8. If exploited, attackers could gain domain admin privileges, affecting all Windows Server versions starting from 2008.
Goettl emphasized the growing rarity of finding administrators who excel in managing Windows infrastructure, specifically in Certificate Authority management, which may require external expertise for fortification.
During the update, Microsoft identified yet another serious vulnerability in Microsoft Exchange Server, classified as CVE-2024-49040, rated important with a CVSS score of 7.5. Unpatched Exchange servers could mishandle non-compliant email headers, enabling phishing attacks and other malicious attempts to penetrate user inboxes. Microsoft disclosed that exploit code is available affecting both Exchange Server 2016 and 2019.
Following the installation of the November security update, Exchange will proactively detect hazardous emails and append a warning banner to alert users of potential dangers.
Despite the addition of this banner, many users might still proceed to interact with suspicious emails. “Curiosity didn’t just kill the cat; it also phished so many humans that it started this thriving ecosystem,” remarked Goettl.
While Exchange administrators have the option to eliminate the warning message, they can also establish transport rules to reject flagged emails altogether. Microsoft has provided additional guidance accessible at this link.
Goettl urged Exchange operators to take this update seriously due to the available proof-of-concept code, warning that malicious actors proficient in Exchange exploits would likely act quickly to exploit the vulnerability.
Other security updates of note for November Patch Tuesday
Among the critical patches, Microsoft has reported a vulnerability (CVE-2024-5535) affecting OpenSSL, a widely-used open-source cryptographic library embedded in several Microsoft products. This includes Microsoft Defender for Endpoint on mobile platforms such as iOS and Android.
In certain scenarios, an invader could execute this vulnerability simply by delivering a malicious email to a target, allowing malicious code to execute on the victim’s system. Despite its high CVSS rating of 9.1, it has been classified as important.
“When you’re dealing with third-party libraries, you don’t necessarily need to use everything,” Goettl remarked, cautioning that Microsoft likely implements strategies to mitigate potential risks associated with such libraries.
The flaw also affects multiple Linux-based Microsoft products, which may necessitate manual updates from administrators.
A significant portion of the November security updates—approximately one-third—was dedicated to SQL Server, comprising 31 CVEs, most of which have a CVSS rating near 8.8. The vulnerabilities primarily facilitate attacks where an assailant could exploit flaws in the connection driver to mislead a user into connecting to a malicious SQL Server database, thus enabling the attacker to run unauthorized code on the user’s machine.
Unexpected Windows Server 2025 upgrade hits admins
On November 1, Microsoft made generational updates available for Windows Server 2025, which has led to unforeseen complications of unintentional upgrades for several enterprises.
Typically, organizations postpone upgrades until they reach the end of support for existing server systems; however, a confluence of issues resulted in Windows Server 2019 and 2022 systems auto-upgrading to Windows Server 2025. The absence of a rollback option further complicated the situation for administrators lacking adequate backups, compelling them to either recreate workloads on older servers or procure licenses for Windows Server 2025.
According to Microsoft, this issue solely impacted organizations utilizing third-party applications for server and desktop management.
Solution provider Dam indicated that for affected users, the problem likely stems from the chosen remote monitoring and management tools, and “While it’s easy to point fingers at Microsoft when updates go awry, this time, they got it right,” he stated.
Istrators in some instances. An attacker could exploit this vulnerability to run arbitrary code or cause denial of service, raising significant security concerns.
Moreover, approximately one-third of the updates in November revolved around SQL Server, addressing a staggering 31 CVEs largely tied to connection drivers. This influx of updates raises eyebrows and comparisons to a sci-fi plot where attackers could leverage malicious connections to exploit SQL databases. Organizations must remain vigilant to defend against such attacks, as the potential risks stemming from these vulnerabilities could lead to compromised systems and data breaches.
this November Patch Tuesday served as a stark reminder of the ever-evolving security landscape. Microsoft’s updates, while crucial, highlight the complexities faced by IT departments tasked with maintaining secure environments amidst emerging threats. As security challenges continue to escalate, staying informed and proactive about patch management remains essential for safeguarding organizational assets.