Pierluigi Paganini November 13, 2024
Microsoft Patch Tuesday security updates for November 2024 fixed 89 vulnerabilities in Windows and Windows Components; Office and Office Components; Azure; .NET and Visual Studio; LightGBM; Exchange Server; SQL Server; TorchGeo; Hyper-V; and Windows VMSwitch.
Four of these vulnerabilities are rated Critical, 84 are rated Important, and one is rated Moderate in severity. Microsoft has addressed a total of 949 vulnerabilities this year.
“Microsoft lists three of these CVEs as publicly known, but I disagree and put the count at five (more on that later).” reads the post published by the Zero Day Initiative. “They also list two as being exploited in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerabilities currently under active attack:”
Two of the vulnerabilities, tracked as CVE-2024-43451 and CVE-2024-49039, are listed as being exploited in the wild at the time of release. Below are the descriptions for these two vulnerabilities:
The most severe vulnerability addressed by the IT giant is an Azure CycleCloud Remote Code Execution issue tracked as CVE-2024-43602 (CVSS score of 9.9). An attacker with basic user permissions can exploit Azure CycleCloud by sending crafted requests to gain root access, allowing command execution across clusters and potential administrator credential compromise.
Microsoft also addressed a .NET and Visual Studio Remote Code Execution issue tracked as CVE-2024-43498 (CVSS score 9.8). CVE-2024-43498 allows remote code execution via crafted requests to .NET web apps or files loaded by desktop apps.
The full list of vulnerabilities Microsoft addresses with Patch Tuesday security updates for November 2024 is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Patch Tuesday)