This month Microsoft released patches for 89 vulnerabilities with 4 rated “Critical” in severity.

All new patches will be approved in our patch policy.

Microsoft has released fixes for 89 vulnerabilities with 3 zero-days have been identified. CVE-2024-49039 is a flaw in the Windows Task Scheduler allowing attackers to increase their privileges on a Windows machine. CVE-2024-43451 is a spoofing flaw that could reveal Net-NTLMv2 hashes. Two of the disclosed weaknesses are CVE-2024-49019, an elevation of privilege flaw in Active Directory Certificate Services and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server. CVE-2024-43639 is a remote code execution vulnerability in Windows Kerberos. One know issue with the OpenSSH (Open Secure Shell) service on Windows 11. One new Security Advisory ADV240001. No new stand-alone SSUs.

Disclosed: CVE-2024-43451, CVE-2024-49019, CVE-2024-49040

Exploited: CVE-2024-43451, CVE-2024-49039

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

Microsoft Security Advisories

ADV240001 | Microsoft SharePoint Server Defense in Depth Update (Published:11/12/2024)

https://msrc.microsoft.com/update-guide/vulnerability/ADV240001

Reason for Revision: We are publishing this advisory to the Security Update Guide’s Vulnerabilities tab to document the related defense in depth security updates in the Deployments tab. Generally advisories do not contain security updates. However Microsoft Engineering elected to provide them to ensure customers could ensure they are protected.

Please reference the Security Updates table or the Deployments tab to find the security update for related to your product.

Heads Up! Server 2019/2022 spontaneously upgrading to 2025

We have not seen any issues with the Server 2025 upgrades on our Kaseya servers. We did Deny KB5044284 as a precaution but did not see any servers showing it as missing or installed.  Talk about this has died down over the past week and no new reports of this have surfaced involving this month’s patches. We believe this was a one-time occurrence and have not denied any of the November patches. KB5044284 has been superseded by KB5046617.

A lot of frustration and confusion around a  number of 2019 and 2022 servers upgrading to 2025 after October 31st when Microsoft released KB5044284 for Microsoft Server Operating System-24H2 (i.e. 2025). That’s the same KB as the Windows 11 24H2 October 8th CU. The articles below go into greater detail. Microsoft hasn’t admitted they did anything wrong but  wrote “This scenario has been mitigated.” It seems to be confusion Microsoft’s labeling of KB5044284 and some patch management tools interpreted it as a recommended update  instead of an optional update.

Windows Server 2022 and Server 2019 unexpectedly upgraded to Windows Server 2025

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2025#3404msgdesc

Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools

https://www.bleepingcomputer.com/news/microsoft/microsoft-blames-windows-server-2025-automatic-upgrades-on-third-party-tools/

FYI Windows 11, version 21H2 (Enterprise & Education) reached end of service in October.

https://learn.microsoft.com/en-us/lifecycle/announcements/windows-11-21h2-end-of-updates-enterprise-education

All editions of Windows 11, version 21H2 are at end of service today, October 8, 2024. After today, these devices will not receive monthly security and non-security updates.

Known Issues

Microsoft is reporting problems with the OpenSSH (Open Secure Shell) service on Windows 11 22H2/23H2 systems.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

Windows 11 October 2024 security update caused the OpenSSH (Open Secure Shell) service to fail to start.

https://support.microsoft.com/en-us/topic/november-12-2024-kb5046633-os-builds-22621-4460-and-22631-4460-6ff7b117-cd80-471a-a9ac-48a794bda2d6

Affects: Windows 11 22H2/23H2

Symptom: Following the installation of the October 2024 security update, some customers report that the OpenSSH (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process.

This issue is affecting both enterprise, IOT, and education customers, with a limited number of devices impacted. Microsoft is investigating whether consumer customers using Home or Pro editions of Windows are affected.

Workaround: Customers can temporarily resolve the issue by updating permissions (ACLs) on the affected directories. Follow these steps:

Open PowerShell as an Administrator.

Update the permissions for C:\ProgramData\ssh and C:\ProgramData\ssh\logs to allow full control for SYSTEM and the Administrators group, while allowing read access for Authenticated Users. You can restrict read access to specific users or groups by modifying the permissions string if needed.

Use the following commands to update the permissions:

$directoryPath = “C:\ProgramData\ssh” $acl = Get-Acl -Path $directoryPath $sddlString = “O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)” $securityDescriptor = New-Object System.Security.AccessControl.RawSecurityDescriptor $sddlString $acl.SetSecurityDescriptorSddlForm($securityDescriptor.GetSddlForm(“All”)) Set-Acl -Path $directoryPath -AclObject $acl

Repeat the above steps for C:\ProgramData\ssh\logs.

Status: Microsoft is actively investigating the issue and will provide a resolution in an upcoming Windows update. Further communications will be provided when a resolution or additional workarounds are available.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

• KB5046682 – Windows Server 2012 R2 (ESU)
• KB5046697 – Windows Server 2012 (ESU)

Cumulative Updates

Windows 10

• KB5046665 – Original release version 1507 (OS Build 10240)
• KB5046612 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5046615 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5046613 – Version 21H2 “November 2021 Update” (OS Build 19044)
• KB5046613 – Version 22H2 “November 2022 Update” (OS Build 19045)

(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

Windows 11

• KB5046633 – 22H2 (OS Build 22621)
• KB5046633 – 23H2 (OS Build 22631)
• KB5046617 – 24H2 (OS Build 26100)

(Version 21H2 is no longer under support)

Windows Server

• KB5046612 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5046615 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5046616 – Server 2022 (OS Build 20348)
• KB5046618 – Server 23H2 (OS Build 25398)
• KB5046617 – Server 2025 (OS Build 26100)

KB5046630 – Cumulative security update for Internet Explorer

November 2024 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/november-2024-updates-for-microsoft-office-03c5e8e8-cfe1-4c58-ab7a-af12a14363dd

Notable CVEs

CVE-2024-43451 | NTLM Hash Disclosure Spoofing Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451

This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user. Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability.

CVE-2024-43498 | .NET and Visual Studio Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43498

A remote unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to a vulnerable .NET webapp or by loading a specially crafted file into a vulnerable desktop app.

CVE-2024-43625 | Microsoft Windows VMSwitch Elevation of Privilege Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43625

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability is confined to the VmSwitch component within Hyper-V.

CVE-2024-43639 | Windows KDC Proxy Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43639

An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target. This vulnerability only affects Windows Servers that are configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server. Domain controllers are not affected.

CVE-2024-49019 | Active Directory Certificate Services Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49019

An attacker who successfully exploited this vulnerability could gain domain administrator privileges. Check if you have published any certificates created using a version 1 certificate template where the Source of subject name is set to “Supplied in the request” and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers. An example is the built-in Web Server template, but it is not vulnerable by default due to its restricted Enroll permissions.

CVE-2024-49039 | Windows Task Scheduler Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039

To exploit this vulnerability, an authenticated attacker would need to run a specially crafted application on the target system exploit the vulnerability to elevate their privileges to a Medium Integrity Level. An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only.

CVE-2024-49040 | Microsoft Exchange Server Spoofing Vulnerability (KB5044062)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49040

Additional information available in Exchange Server non-RFC compliant P2 FROM header detection (https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-non-compliant-p2from-detection).