Microsoft Addresses 89 Security Vulnerabilities Including 4 Critical Zero-Days
Microsoft has rolled out its November 2024 Patch Tuesday update, which addresses a staggering 89 security vulnerabilities. Among these are four critical zero-day flaws that have either been actively exploited or publicly disclosed.
The update includes fixes for two actively exploited vulnerabilities:
- CVE-2024-43451: An NTLM hash disclosure flaw affecting all Windows versions
- CVE-2024-49039: A Windows Task Scheduler elevation of privilege vulnerability, discovered by Google’s Threat Analysis Group
Security experts strongly emphasize the urgency of applying these patches, particularly for the NTLM vulnerability. This flaw allows attackers to steal authentication hashes with minimal user interaction. “This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user,” Microsoft explained in its security advisory.
Furthermore, the update also addresses two other publicly disclosed zero-days:
- CVE-2024-49019: Affects Active Directory Certificate Services
- CVE-2024-49040: Impacts Exchange Server
This highlights Microsoft’s ongoing struggle with zero-day vulnerabilities throughout 2024, bringing the total to 27 documented zero-day attacks in the Windows ecosystem this year.
Source: BleepingComputer