November’s Patch Tuesday instalment patches 90 vulnerabilities, an increase from the 119 in October. This month sees 4 critical vulnerabilities along with 3 publicly disclosed and 2 exploited in the wild patched.
This publicly disclosed and actively exploited vulnerability exposes the NTLMv2 hashes to an attacker. This requires minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability Microsoft has warned. This could ultimately lead to the attacker gaining unauthorised access to facilitate further attacks.
The second actively exploited vulnerability this month related to the Windows task scheduler. Unauthenticated attackers would need to run a specially crafted application on the target system to exploit the vulnerability and elevate their privileges to a medium integrity level, gaining the right to execute RPC functions restricted to privileged accounts only.
Another publicly disclosed vulnerability this month could allow attackers to gain domain administrator privileges. Specifically, Microsoft has reported that any certificates created using its version 1 template with the source of subject name set to "Supplied in the request" and enroll permissions greater than its default restricted level is at risk if the template is not secured according to the best practices.
a Critical RCE in Windows VMSwitch could allow an attack to gain SYSTEM privileges. This requires an attacker accessing a low-privilege Hyper-V guest to send a specific series of networking requests to the VMswitch driver triggering a use after free vulnerability in the Hyper-V host which grants host privileges, ultimately allowing arbitrary code execution. Microsoft has reported that successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment.
A critical vulnerability in Kerberos could allow an authenticated attacker using a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target. While critical, Microsoft has graded this “Exploitation Less Likely.”
Affecting the SQL Server Native Client, these important vulnerabilities can be exploited by convincing an authenticated user to connect to a malicious SQL server database using an affected driver and the database returning malicious data that could cause arbitrary code execution on the client.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Nov
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
