In total, 89 vulnerabilities are patched in Microsoft’s November Patch Tuesday update. Four of those vulnerabilities are zero-days, which Microsoft defines as publicly disclosed or actively exploited before the patch was available.

The Cybersecurity and Infrastructure Security Agency (CISA) has added two of the four zero-day vulnerabilities from Microsoft’s November Patch Tuesday to its catalog of actively exploited vulnerabilities, due to evidence of active exploitation. 

These two vulnerabilities added to the catalog are tracked as:

CVE-2024-43451 (CVSS score 6.5 out of 10): a Microsoft Windows NTLMv2 hash disclosure spoofing vulnerability. This vulnerability discloses a user’s NTLMv2 hash to an attacker, who could use this to authenticate as a user. To exploit this vulnerability, the target only has to single-click or right-click a malicious file.

NTLM hashes are important to an attacker because they can use them for a pass-the-hash attack. Pass-the-hash is a credential theft and lateral movement method where the attacker abuses the NTLM authentication protocol to authenticate as a user without ever obtaining the account’s plaintext password. All they need is the hash of the password.

CVE-2024-49039 (CVSS score 8.8 out of 10): a Microsoft Windows Task Scheduler privilege escalation vulnerability. The bug allows an AppContainer escape—allowing a low-privileged user to execute code at Medium integrity, which means a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. An authenticated attacker would need to run a specially crafted application on the target system to exploit the vulnerability, so this vulnerability is used in an attack chain to elevate privileges.

The other two zero-days are tracked as:

CVE-2024-49040 (CVSS score 7.5 out of 10): a Microsoft Exchange Server spoofing vulnerability. This vulnerability allows attackers to spoof the sender’s email address in emails to local recipients. Starting with this month’s Microsoft Exchange security updates, Microsoft is now detecting and flagging spoofed emails with an alert prepended to the email body that states, “Notice: This email appears to be suspicious. Do not trust the information, links, or attachments in this email without verifying the source through a trusted method.”

CVE-2024-49019 (CVSS score 7.8 out of 10): an Active Directory Certificate Services elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could gain domain administrator privileges by abusing built-in default version 1 certificate templates.

Built-in default version 1 certificate templates are essentially pre-made, basic blueprints for digital certificates that come included with certain Microsoft systems, particularly older versions of Windows Server. The researchers that discovered the flaw explain:

Using built-in default version 1 certificate templates, an attacker can craft a CSR [Certificate Signing Request] to include application policies that are preferred over the configured Extended Key Usage attributes specified in the template.

Microsoft tells users to:

Check if you have published any certificates created using a version 1 certificate template where the Source of subject name is set to “Supplied in the request” and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are a few major ones that you may find in your environment.

Adobe released security updates for several products:

• Adobe Bridge
• Adobe Audition
• Adobe After Effects
• Substance 3D Painter
• Adobe Illustrator
• Adobe InDesign
• Adobe Photoshop
•  Adobe Commerce

Citrix released security updates for:

• NetScaler ADC and NetScaler Gateway
• Citrix Session Recording

Google has released updates for the Chrome browser and Android

Ivanti released security updates for:

• Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC)
• Ivanti Endpoint Manager (EPM)
• Ivanti Avalanche