Microsoft’s November Patch Tuesday has brought a significant security update, fixing 89 vulnerabilities across its Windows operating systems and other applications, including Microsoft Office and SQL Server. Of these, four vulnerabilities are deemed “critical,” and nearly all the others are rated as “high risk.” This patch addresses six zero-day vulnerabilities, including two that were already being actively exploited, positioning 2024 as the second highest year for security patches in recent history.
A substantial portion of this month’s fixes — 37 vulnerabilities — affects Windows 10, Windows 11, and Windows Server, with Windows 7 and 8.1 being left behind due to the end of security support for these older versions. Users of unsupported systems are urged to upgrade to Windows 10 (22H2) or Windows 11 (23H2) to continue receiving important security updates, though with Windows 10 losing support next year, skipping ahead to Windows 11 may be a more sustainable option. It’s also worth noting that the Windows 11 24H2 update, while available, has been causing issues, so staying on 23H2 may be the safer choice for now.
The critical vulnerabilities this month include CVE-2024-43451, which affects the MSHTML platform and allows for user impersonation, and CVE-2024-49039, which lets attackers break out of app containers and execute malicious code. CVE-2024-43639 in the Kerberos protocol is particularly alarming, as it enables remote code execution (RCE) without user interaction and can potentially propagate through a network. Additionally, CVE-2024-43498 in .NET and Visual Studio allows attackers to inject and execute code through crafted web requests.
Microsoft also resolved multiple vulnerabilities in the Windows telephony service, including six RCE flaws and one Elevation of Privilege (EoP) issue. Office products also received patches, with Excel having five RCE flaws fixed, and Word addressed with a Security Feature Bypass (SFB) vulnerability. SQL Server accounts for over a third of the patched vulnerabilities, including 31 high-risk RCE vulnerabilities. Notably, CVE-2024-49043 requires both an update to the OLE DB driver and possibly third-party updates, which should be checked for security.
With these patches, Microsoft continues to strengthen its security posture, especially for enterprise users and system administrators who must manage these vulnerabilities across corporate networks.