Microsoft halts 2 zero-days on November Patch Tuesday

Microsoft corrects two Windows zero-days

A zero-day (CVE-2024-49039) in the Windows Task Scheduler is rated important with a CVSS rating of 8.8. This elevation-of-privilege vulnerability affects Windows 10 and later versions, including the newly released Windows Server 2025.

The second zero-day is CVE-2024-43451, an NTLM Hash Disclosure spoofing vulnerability, rated important with a CVSS score of 6.5. Microsoft noted this flaw was also publicly disclosed. The vulnerability affects all Windows versions from Server 2008 all the way to the latest desktop and server versions. 

An attacker can exploit this bug to disclose the user's NTLMv2 hash used for authentication on the domain in Windows environments to give the attacker the same privilege level.

Chris Goettl, vice president of security product management at Ivanti, told TechTarget Editorial this vulnerability could be disastrous if users have admin rights. He said the trend of giving users higher access started during COVID-19 to ease the demands on the IT staff.

"When users were no longer on the network, they had less access to the service desk and local support, which added to the support costs within the organization, so a lot more privileges were doled out," Goettl said. 

He said some organizations that granted these escalated rights are peeling those permissions back to avoid getting bit by security issues. 

Microsoft addresses public disclosures

The second public disclosure is an Active Directory Certificate Services elevation-of-privilege vulnerability (CVE-2024-49019) rated important with a CVSS score of 7.8. If successfully exploited, the attacker could gain domain admin privileges. The bug affects all Windows Server versions starting with 2008.

Microsoft provides extensive guidance to help admins mitigate this flaw from further attacks, which requires manual work from the admin. The corrective actions include securing certificate templates, removing excessive permissions and deleting unused templates.  

Goettl said it's increasingly rare to find admins who are adept with managing this area of the Windows infrastructure, which might require calling in extra support to make sure the system is secure. 

"Certificate authority is one of those specialized areas that very few companies have somebody who truly knows their way around it," he said. 

The last public disclosure is a Microsoft Exchange Server spoofing vulnerability (CVE-2024-49040) rated important with a 7.5 CVSS score. Microsoft said unpatched Exchange systems will mishandle non-compliant headers in email, allowing phishing attempts and other malicious messages to reach users. Microsoft said there is exploit code available that affects both Exchange Server 2016 and 2019. 

After admins install the November security update, Exchange will detect potentially dangerous email and add a highlight across the top of the message to warn the user.

"Even if this banner is there, there are people who will click in the email. Curiosity didn't just kill the cat, it also phished so many humans that it started this thriving ecosystem," Goettl said.

Exchange admins have the option to remove the warning message. They can set up a transport rule to reject flagged email. Microsoft offers more guidance at this link.

"If you're running Exchange, you should definitely look into this update because of the proof-of-concept code," Goettl said. "The threat actors who are good at Exchange exploits will take that code quickly to take advantage of it."

Other security updates of note for November Patch Tuesday

Microsoft published a CVE (CVE-2024-5535) in its monthly release notes for a flaw in OpenSSL, an open-source cryptographic library used in several Microsoft products, including Microsoft Defender for Endpoint for iOS and Android. 

In some cases, the attacker can exploit the vulnerability just by sending a malicious email to a targeted user, which would let the attacker run code on the victim's system. The vulnerability is only rated important despite the 9.1 CVSS rating. 

"When you're dealing with third-party libraries, you don't necessarily need to use everything," Goettl said. "Microsoft is probably not utilizing something or they've implemented it in some way that mitigates the risk."

The flaw also affects several Linux-based Microsoft products, which might require manual updates. 

Roughly one-third of the security updates for November Patch Tuesday were for SQL Server, which had 31 CVEs with nearly all with an 8.8 CVSS rating. Most of the bugs concern attackers exposing a flaw in the connection driver to trick a user to connect to a malicious SQL Server database, which allows the attacker to run code on the user's machine.  

Unexpected Windows Server 2025 upgrade hits admins

Microsoft made Windows Server 2025 generally available on Nov. 1, and the company received unforeseen exposure for this release after multiple reports of unexpected upgrades.

While most enterprises often wait to upgrade until they reach the end of support for the existing server systems, a perfect storm of issues resulted in Windows Server 2019 and 2022 systems automatically upgrading to Windows Server 2025. A lack of a rollback option further compounded this issue for admins who did not have backups, forcing them to either recreate workloads on the older server OS or buy the Windows Server 2025 license. 

According to Microsoft, this problem only affected organizations that use third-party applications for desktop and server management. 

Bryan Dam of Patch My PC wrote an extensive blog that explained, due to the complexities related to its cloud-based management tools, Microsoft offered Windows Server 2025 as a feature update labeled as an upgrade via Windows Update. 

"If you are affected, know that the fault likely lies with your chosen [remote monitoring and management] tool or its update settings. While it's easy to point fingers at Microsoft when updates go awry, this time, they got it right," Dam wrote. 

Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.