November Patch Tuesday loads up everyone’s plate – Sophos News

Microsoft on Tuesday launched 89 patches affecting 14 product households. Two of the addressed points, each touching Home windows, are thought of by Microsoft to be of important severity. At patch time, two of the problems addressed are recognized to be below exploit within the wild, with eight further CVEs extra prone to be exploited within the subsequent 30 days by the corporate’s estimation. 4 of this month’s points are amenable to detection by Sophos protections, and we embody info on these in a desk under.

Along with these patches, the discharge contains advisory info on two Edge-related CVEs, and one associated to Azure, CBL Mariner, and Defender (extra on that advisory under). We’re as all the time together with on the finish of this put up further appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

By the numbers

• Complete CVEs: 89
• Publicly disclosed: 3
• Exploit detected: 2
• Severity
  • Essential: 3
  • Essential: 85
  • Reasonable: 3
• Influence
  • Distant Code Execution: 52
  • Elevation of Privilege: 27
  • Denial of Service: 4
  • Spoofing: 3
  • Safety Characteristic Bypass: 2
  • Data Disclosure: 1
• CVSS base rating 9.0 or better: 4
• CVSS base rating 8.0 or better: 42

Determine 1: RCE vulnerabilities, bolstered by a robust exhibiting among the many 31 SQL Server points patched, represent nearly all of November’s updates

Merchandise

• Home windows: 37
• SQL Server: 31
• 365 Apps: 8
• Workplace: 8
• Excel: 5
• Visible Studio: 5
• Azure: 3
• .NET: 2
• airlift.microsoft.com: 1
• Alternate: 1
• LightGBM: 1
• PC Supervisor: 1
• TorchGeo: 1
• Phrase: 1

As is our customized for this checklist, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on.

Determine 2: The number of affected product households rivals final month’s, however Home windows and SQL Server took the overwhelming majority of November’s patches

Notable November updates

Along with the problems mentioned above, quite a few particular gadgets advantage consideration.

31 CVEs – Server 2025 points

As reported in The Register final week, a KB error led to fairly quite a few situations of Server 2019 and 2022 receiving shock upgrades to Server 2025. Although Microsoft finally acknowledged and labored to mitigate the issue, as of this writing that course of seems to nonetheless be underway. In the meantime, this month’s Patch Tuesday’s set offers directors another excellent purpose to prioritize finding out any surprising Server 2025 presence on their programs, as over a 3rd of the month’s patches have an effect on the not-yet-official new model. We now have listed these CVEs in Appendix E on the finish of this writeup.

CVE-2024-5535 — OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread

It’s relegated to the checklist of advisories, however this RCE, which carries a hefty 9.1 CVSS base rating, deserves a glance. The knowledge obtainable can also be noteworthy (although, as an OpenSSL-assigned CVE, it’s barely completely different to the same old knowledge Microsoft presents on its patches) – the obtainable info advises that, in a worst-case state of affairs of assault by way of e-mail, RCE may very well be achieved even when the person doesn’t open, learn, or click on on a acquired hyperlink. The difficulty impacts model 3.0 of Azure Linux, model 2.0 of CBL Mariner, and Defender for Endpoint on Android, iOS, and Home windows. That mentioned, Microsoft judges it much less prone to be exploited within the subsequent 30 days.

CVE-2024-49039 — Home windows Process Scheduler Elevation of Privilege Vulnerability
CVE-2024-43451 — NTLM Hash Disclosure Spoofing Vulnerability

These are the 2 CVEs that Microsoft has discovered to be already below exploit within the wild. The primary is the extra severe of the 2 – an EoP with a CVSS base rating of 8.8. Each require that the goal system run a malicious software. The spoofing subject, which weighs in at a comparatively much less alarming 6.5 CVSS base, contains a further shock – IE Cumulative updates for customers of Server 2008, 2008 R2, and 2012 R2 nonetheless taking Safety Solely updates.

CVE-2024-49040 — Microsoft Alternate Server Spoofing Vulnerability

This Essential-severity spoofing vulnerability, which Microsoft believes to be extra prone to be exploited throughout the subsequent 30 days, has a somewhat particular set of post-installation directions, which might be seen on the corporate’s web site.

CVE-2024-49056 — airlift.microsoft.com Elevation of Privilege Vulnerability

An uncommon CVE towards a Microsoft micro-site, this Essential-severity EoP has already been patched. Based on the knowledge supplied, “Authentication bypass by assumed-immutable knowledge on airlift.microsoft.com enable[ed] a certified attacker to raise privileges over a community.”

Determine 3: With a month left to go within the 12 months, and after remarkably low CVE counts within the first three months, 2024 has now formally exceeded the patch rely for all of final 12 months – 942 patches thus far in 2024, versus 931 for all of 2023

Sophos protections

As you possibly can each month, in the event you don’t wish to wait on your system to tug down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace bundle on your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

It is a checklist of November patches sorted by affect, then sub-sorted by severity. Every checklist is additional organized by CVE.

Distant Code Execution (52 CVEs)

Elevation of Privilege (27 CVEs)

Denial of Service (4 CVEs)

Spoofing (3 CVEs)

Safety Characteristic Bypass (2 CVEs)

Data Disclosure (1 CVE)

Appendix B: Exploitability

It is a checklist of the November CVEs judged by Microsoft to be both below exploitation within the wild or extra prone to be exploited within the wild throughout the first 30 days post-release. The checklist is organized by CVE.

Appendix C: Merchandise Affected

It is a checklist of November’s patches sorted by product household, then sub-sorted by severity. Every checklist is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of occasions, as soon as for every product household.

Home windows (37 CVEs)

SQL Server (31 CVEs)

365 Apps (8 CVEs)

Workplace (8 CVEs)

Excel (5 CVEs)

Visible Studio (5 CVEs)

Azure (3 CVEs)

.NET (2 CVEs)

airlift.microsoft.com (1 CVE)

Alternate (1 CVE)

LightGBM (1 CVE)

PC Supervisor (1 CVE)

TorchGeo (1 CVE)

Phrase (1 CVE)

Appendix D: Advisories and Different Merchandise

It is a checklist of advisories and knowledge on different related CVEs within the November launch.

Appendix E: Server 2025

It is a checklist of CVEs affecting Server 2025, which some customers might have inadvertently acquired final week.