Microsoft’s November Patch Tuesday addresses 89 vulnerabilities in Windows, SQL Server, .NET and Microsoft Office. Unfortunately, we have three zero-day vulnerabilities (CVE-2024-43451, CVE-2024-49019 and CVE-2024-49039) that require a Patch Now update for Microsoft Windows platforms.

November Patch Tuesday 2024

Greg Lambert
November 17, 2024
7 minutes

Microsoft’s November Patch Tuesday addresses 89 vulnerabilities in Windows, SQL Server, .NET and Microsoft Office. Unfortunately, we have three zero-day vulnerabilities (CVE-2024-43451, CVE-2024-49019 and CVE-2024-49039) that require a Patch Now update for Microsoft Windows platforms. Unusually, there are a significant number of patch “re-releases” which may require administrator attention. The team at Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this October update cycle. 

Known Issues 

There were a few reported issues for the September update which have been addressed in this November update including:

  • Enterprise customers are reporting issues with the SSH service failing to start on updated Windows 11 24H2 machines. Microsoft has recommended updating the file/directory level permissions on the SSH program directories (remember to include the log files). You can read more about this official workaround here

It looks like we are entering a new age of ARM compatibility challenges for Microsoft. However, before we get ahead of ourselves, we really need to sort out the (three-month old) Roblox issue.

Major Revisions 

This November Patch Tuesday has Microsoft publishing the following major revisions: 

  • CVE-2013-390: WinVerifyTrust Signature Validation Vulnerability. This update was originally published in 2013 via TechNet. This Microsoft update is now made available and is applicable to Windows 10/11 users due to a recent change in the EnableCertPaddingCheck Windows API call. We highly recommend a review of this CVE and its associated Q&A documentation. Remember: if you must set your values in the registry, ensure that they are type DWORD not Reg_SZ.
  • CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability. When Microsoft updates a CVE (twice) in the same week, and the vulnerability has been publicly disclosed, it’s time to pay attention. Before you apply this Exchange Server update, we highly recommend a review of the reported header detection issues and mitigating factors.

And unusually, we have three kernel mode updates (CVE-2024-43511, CVE-2024-43516 and CVE-2024-43528 that were re-released last month (October) and were updated this month (November). These security vulnerabilities exploit a race condition in Microsoft’s Virtualisation Based Security (VBS). It may be worth a review of the mitigating strategies published by Microsoft while you thoroughly test these low-level kernel patches. 

Testing Guidance

Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

For this November release cycle from Microsoft, we have grouped the critical updates and required testing efforts into separate product and functional areas including:

Networking

  • Test end to end VPN, Wi-Fi, sharing and Bluetooth scenarios. 
  • Test out HTTP clients over SSL.
  • Ensure internet shortcut files (ICS) display correctly

Security/Crypto

  • After installing the November update on your Certificate Authority (CA) servers, ensure that enrollment and renewal of certificates perform as expected.
  • Test Windows Defender Application Control (WDAC) and ensure that line-of-business applications are not blocked. Ensure that WDAC functions as expected on your Virtual Machines (VM).

Filesystem and Logging:

  • The NTFileCopyChunk API was updated and will require internal application testing if directly employed. Test the validity of your parameters and issues relating to directory notification.

I cannot claim to have any nostalgia for dial-up internet access (though I do have a certain Pavlovian response to the dial-up handshake sound). For those who are still using this approach to access the internet, this November update to the TAPI API has you in mind. A “quick” (haha) test is required to ensure you can still connect to the internet via dial-up once you have updated your system.

Windows Lifecycle and Enforcement Updates 

No product or security enforcements for this November update cycle. However, we do have the following Microsoft products reaching their respective end of servicing terms:

  • October 8th, 2024: Windows 11 Enterprise and Education, Version 21H2, Windows 11 Home and Pro, Version 22H2, Windows 11 IoT Enterprise, Version 21H2.
  • October 9th, 2024: Microsoft Project 2024 (LTSC)

Mitigations and Workaround

For this November update cycle, Microsoft has published the following mitigations that are applicable to this Patch Tuesday.

  • CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability. As this vulnerability has been publicly disclosed, we need to take this seriously. Microsoft has offered some mitigation strategies during the update/testing/deployment for most enterprises that include:
  1. Remove Overly Broad Enrol or AutoEnroll Permissions
  2. Remove Unused Templates from Certification Authorities
  3. Secure Templates that Allow You to Specify the Subject in the Request

As most enterprises will employ Microsoft Active Directory, we highly recommend a review of this knowledge note from Microsoft. 

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

  • Browsers (Microsoft IE and Edge) 
  • Microsoft Windows (both desktop and server) 
  • Microsoft Office
  • Microsoft Exchange Server 
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe (if you get this far) 

Browsers 

This November, Microsoft has released a single update that is specific to Microsoft Edge (CVE-2024-49025) , and two updates for the Chromium engine that underpins Microsoft’s browser (CVE-2024-10826 and CVE-2024-10827). Microsoft has published a brief note on this month’s browser update, found here. We recommend adding these low-profile browser updates to your standard release schedule.

Windows 

Microsoft has released two critical (CVE-2024-43625 and CVE-2024-43639) patches with a critical rating and a further 35 patches rated as important by Microsoft. This month the following key Windows features have been updated:

  • Windows Update Stack (note: installer rollbacks may be an issue)
  • NT OS, Secure Kernel and GDI
  • Microsoft Hyper-V
  • Networking, SMB and DNS
  • Windows Kerberos

Unfortunately, the following Windows updates have been publicly disclosed or reported as exploited in the wild, resulting in a zero-day designation:

  • CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability (
  • CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege 
  • CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability

Add these Windows updates to your Patch Now release cadence. 

Microsoft Office 

This month Microsoft has published six Microsoft Office updates (all rated as important by Microsoft) that affect SharePoint, Word and Excel. None of these reported vulnerabilities involve remote access or preview pane issues and have not been publicly disclosed or exploited in the wild. Add these Microsoft Updates to your standard release schedule.

Microsoft SQL (nee Exchange) Server 

You want updates to Microsoft SQL Server – we got’em. 31 patches to the SQL Server Native client for this November Patch Tuesday. That’s a lot of patches, even for a complex product like Microsoft SQL Server. These updates appear to be the result of a major clean-up effort from Microsoft addressing the following reported security vulnerabilities:

The vast majority of these SQL Server Native Client updates address the CWE-122 related buffer overflow issues. Note that these patches update the SQL Native client, so this is a desktop update, not a server update. Crafting a testing profile for this update is a tough call. No new features have been added, and no high-risk areas have been patched. However, many internal line-of-business applications rely on these SQL client features. We recommend that your core business applications are tested before this SQL update, otherwise add this update to your standard release schedule. 

Boot note: Remember that there is a major revision to CVE-2024-49040 – this may affect the SQL Server “server” side of things.

Microsoft Development Platforms 

Microsoft has released one critical-rated update (CVE-2024-43498) and a further three updates (rated as important by Microsoft) that affect Microsoft .NET 9 and Visual Studio 2022. These are pretty low-risk security vulnerabilities and very specific to these versions of Microsoft development platforms. They should present a reduced testing profile. Add these updates to your standard developer schedule for this November patch cycle.

Adobe Reader (And other 3rd party updates) 

Microsoft has not published any Adobe Reader related updates this month. Microsoft has released three non-Microsoft CVE’s covering Google Chrome and SSH (CVE-2024-5535). Given the update to Windows defender (as a result of the SSH issue) Microsoft has published a list of Defender vulnerabilities and weaknesses that may assist with your deployment efforts.  

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started