For November, Patch Tuesday contains three Home windows zero-day fixes

Microsoft’s November Patch Tuesday launch addresses 89 vulnerabilities in Home windows, SQL Server, .NET and Microsoft Workplace — and three zero-day vulnerabilities (CVE-2024-43451, CVE-2024-49019 and CVE-2024-49039) that imply a patch now advice for Home windows platforms. Unusually, there are a major variety of patch “re-releases” that may additionally require administrator consideration. 

The crew at Readiness has offered this infographic outlining the dangers related to every of the updates for this cycle.  (For a rundown of current Patch Tuesday updates, see Computerworld‘s round-up right here.

Recognized points 

There have been a couple of reported points for the September replace which were addressed now, together with:

• Enterprise prospects are reporting points with the SSH service failing to begin on up to date Home windows 11 24H2 machines. Microsoft beneficial updating the file/listing stage permissions on the SSH program directories (keep in mind to incorporate the log information). You may learn extra about this official workaround right here. 

It seems to be like we’re coming into a brand new age of ARM compatibility challenges for Microsoft. Nevertheless, earlier than we get forward of ourselves, we actually have to kind out the (three-month outdated) Roblox challenge.

Main revisions 

This Patch Tuesday contains the next main revisions: 

• CVE-2013-390: WinVerifyTrust Signature Validation Vulnerability. This replace was initially printed in 2013 by way of TechNet. This replace is now made accessible and is relevant to Home windows 10 and 11 customers as a result of a current change within the EnableCertPaddingCheck Home windows API name. We extremely suggest a evaluate of this CVE and its related Q&A documentation. Keep in mind: in the event you should set your values within the registry, be sure that they’re kind DWORD not Reg SZ.
• CVE-2024-49040: Microsoft Trade Server Spoofing Vulnerability. When Microsoft updates a CVE (twice) in the identical week, and the vulnerability has been publicly disclosed, it’s time to concentrate. Earlier than you apply this Trade Server replace, we extremely suggest a evaluate of the reportedheader detection points and mitigating components.

And unusually, we now have three kernel mode updates (CVE-2024-43511, CVE-2024-43516 and CVE-2024-43528 that had been re-released in October and up to date this month.  These safety vulnerabilities exploit a race situation in Microsoft’s Virtualization Based mostly Safety (VBS). It’s value a evaluate of the mitigating methods when you completely check these low-level kernel patches. 

Testing steering

Every month, the Readiness crew analyzes the most recent Patch Tuesday updates and offers detailed, actionable testing steering primarily based on a big utility portfolio and an in depth evaluation of the patches and their potential influence on Home windows platforms and utility installations.

For this launch cycle, we now have grouped the important updates and required testing efforts into separate product and purposeful areas together with:

Networking: 

• Take a look at end-to-end VPN, Wi-Fi, sharing and Bluetooth situations. 
• Take a look at out HTTP purchasers over SSL.
• Guarantee web shortcut information (ICS) show appropriately

Safety/crypto: 

• After putting in the November replace in your Certificates Authority (CA) servers, be sure that enrollment and renewal of certificates carry out as anticipated.
• Take a look at Home windows Defender Software Management (WDAC) and be sure that line-of-business apps aren’t blocked. Be sure that WDAC capabilities as anticipated in your Digital Machines (VM).

Filesystem and logging:

• The NTFileCopyChunk API was up to date and would require inside utility testing if straight employed. Take a look at the validity of your parameters and points referring to listing notification.

I can’t declare to have any nostalgia for dial-up web entry (although I do have a sure Pavlovian response to the dial-up handshake sound). For individuals who are nonetheless utilizing this method to entry the web, the November replace to the TAPI API has you in thoughts. A “fast” (haha) check is required to make sure you can nonetheless hook up with the web by way of dial-up when you replace your system.

Home windows lifecycle and enforcement updates

There have been no product or safety enforcements this cycle. Nevertheless, we do have the next Microsoft merchandise reaching their respective finish of servicing phrases:

• Oct. 8, 2024: Home windows 11 Enterprise and Training, Model 21H2, Home windows 11 Dwelling and Professional, Model 22H2, Home windows 11 IoT Enterprise, Model 21H2.
• Oct. 9, 2024: Microsoft Mission 2024 (LTSC)

Mitigations and workarounds 

Microsoft printed the next mitigations relevant to this Patch Tuesday.

• CVE-2024-49019: Energetic Listing Certificates Providers Elevation of Privilege Vulnerability. As this vulnerability has been publicly disclosed, we have to take it critically. Microsoft has supplied some mitigation methods through the replace/testing/deployment for many enterprises that embody:
• Take away overly broad enroll or auto-enroll permissions.
• Take away unused templates from certification authorities.
• Safe templates that let you specify the topic within the request.

As most enterprises make use of Microsoft Energetic Listing, we extremely suggest a evaluate of this information be aware from Microsoft. 

Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings: 

• Browsers (Microsoft IE and Edge);
• Microsoft Home windows (each desktop and server); 
• Microsoft Workplace;
• Microsoft Trade Server;
• Microsoft Growth platforms (ASP.NET Core, .NET Core and Chakra Core);
• Adobe (in the event you get this far).

Browsers 

Microsoft launched a single replace particular to Microsoft Edge (CVE-2024-49025), and two updates for the Chromium engine that underpins the browser (CVE-2024-10826 and CVE-2024-10827). There’s a short be aware on the browser replace right here. We suggest including these low-profile browser updates to your normal launch schedule.

Home windows 

Microsoft launched two (CVE-2024-43625 and CVE-2024-43639) patches with a important score and one other 35 patches rated as necessary by Microsoft. This month the next key Home windows options have been up to date:

• Home windows Replace Stack (be aware: installer rollbacks could also be a problem);
• NT OS, Safe Kernel and GDI;
• Microsoft Hyper-V;
• Networking, SMB and DNS;
• Home windows Kerberos.

Sadly, these Home windows updates have been publicly disclosed or reported as exploited within the wild, making them zero-day issues:

• CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability.
• CVE-2024-49019: Energetic Listing Certificates Providers Elevation of Privilege.
• CVE-2024-49039: Home windows Process Scheduler Elevation of Privilege Vulnerability.

Add these Home windows updates to your Patch Now launch cadence. 

Microsoft Workplace 

Microsoft pushed out six Microsoft Workplace updates (all rated necessary) that have an effect on SharePoint, Phrase and Excel. None of those reported vulnerabilities contain distant entry or preview pane points and haven’t been publicly disclosed or exploited within the wild. Add these updates to your normal launch schedule.

Microsoft SQL (nee Trade) Server 

You need updates to Microsoft SQL Server? We received ‘em: 31 patches to the SQL Server Native consumer this month. That’s lots of patches, even for a posh product like Microsoft SQL Server. These updates seem like the results of a serious clean-up effort from Microsoft addressing the next reported safety vulnerabilities:

• CWE-122: Heap-based Buffer Overflow
• CWE-416: Use After Free

The overwhelming majority of those SQL Server Native Shopper updates handle the CWE-122 associated buffer overflow points. Observe: these patches replace the SQL Native consumer, so this can be a desktop, not a server, replace. Crafting a testing profile for this one is a tricky name. No new options have been added, and no high-risk areas have been patched. Nevertheless, many inside line-of-business functions depend on these SQL consumer options. We suggest that your core enterprise functions be examined earlier than this SQL replace, in any other case add it to your normal launch schedule. 

Boot be aware: Keep in mind that there’s a main revision to CVE-2024-49040 — this might have an effect on the SQL Server “server” facet of issues.

Microsoft growth platforms

Microsoft launched one critical-rated replace (CVE-2024-43498) and three updates rated as necessary for Microsoft .NET 9 and Visible Studio 2022. These are fairly low-risk safety vulnerabilities and really particular to those variations of the event platforms. They need to current a lowered testing profile. Add these updates to your normal developer schedule this month.

Adobe Reader (and different third-party updates)

Microsoft didn’t publish any Adobe Reader-related updates this month. The corporate  launched three non-Microsoft CVEs overlaying Google Chrome and SSH (CVE-2024-5535). Given the replace to Home windows Defender (because of the SSH challenge), Microsoft additionally printed an inventory of Defender vulnerabilities and weaknesses that may help along with your deployments.