Microsoft has rolled out its November 2024 cumulative updates for Windows 11, addressing critical security vulnerabilities and enhancing system performance. The update, distributed as KB5046617 for version 24H2 and KB5046633 for Windows 11 versions 23H2 and 22H2, brings build numbers up to 26100.2314 and 22631.4460, respectively.
The updates are aimed at fixing four zero-day vulnerabilities, several actively exploited in the wild, while also incorporating usability improvements and feature additions.
Zero-Day Vulnerabilities Targeted by the Patch
At the forefront of this update is the patch for CVE-2024-43451, a spoofing vulnerability impacting all supported versions of Windows. The flaw exposes NTLMv2 hashes, potentially enabling pass-the-hash attacks where an attacker authenticates without needing the actual password. The issue echoes similar vulnerabilities patched earlier in the year, such as CVE-2024-21410 in Exchange Server and CVE-2024-38021 in Microsoft Office.
Satnam Narang, senior staff research engineer from Tenable, says about CVE-2024-4345:
“While we don’t have insight into the in-the-wild exploitation of CVE-2024-43451 at this time, one thing is certain: attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems.”
Another critical fix includes CVE-2024-49039, a privilege escalation flaw in Windows Task Scheduler that allows attackers to gain elevated permissions by running a compromised application. The flaw’s discovery, linked to Google’s Threat Analysis Group (TAG), points to its potential use in targeted cyber operations involving advanced threat actors.
According to Tenable, once the Task Scheduler flaw is exploited, “an attacker can elevate their privileges and gain access to resources that would otherwise be unavailable to them as well as execute code, such as remote procedure call (RPC) functions.“
Microsoft also addressed CVE-2024-49019, an elevation of privilege vulnerability in Active Directory Certificate Services (AD CS), which stemmed from overly permissive version 1 certificate templates. Mike Walters from Action1 has the following details about the AD CS vulnerability:
“The vulnerability specifically arises from using version 1 certificate templates with a subject name set to “Supplied in the request” combined with overly broad ‘Enroll’ permissions. Under these conditions, attackers can request certificates with arbitrary subject names, leading to potential escalation of privileges up to and including domain administrator levels.”
Additionally, CVE-2024-49040 was patched to correct an issue in Microsoft Exchange Server, preventing potential email header spoofing. Action1 says that organizations using Microsoft Exchange Server for email management are at risk, especially if the latest security updates are not applied. This vulnerability can be exploited by attackers to carry out credible spoofing attacks, potentially leading to effective phishing campaigns. Users may be misled into downloading harmful content or revealing confidential information, believing the source of the communication to be legitimate.
According to Action1, “CVE-2024-49040 can play a critical role in broader phishing and social engineering campaigns aimed at securing access to login credentials or other sensitive data. Spoofed emails could also serve as vehicles for delivering malicious payloads, including ransomware or remote access trojans, which can further manipulate or extract valuable information.“
Windows Kerberos Vulnerability Raises RCE Concerns
Also included in Microsoft’s November 2024 updates is the fix for CVE-2024-43639, a severe remote code execution (RCE) vulnerability in the Windows Kerberos authentication protocol. This flaw occurs when numerical data is improperly handled during Kerberos operations, potentially allowing crafted messages to trigger unauthorized code execution.
Kerberos, essential for user and service authentication in Windows environments, becomes a high-value target with this flaw, risking domain controllers and critical network resources. With a CVSS base score of 9.8, the vulnerability poses a significant threat, though current exploitation is deemed less likely due to its complexity and the absence of public disclosure. However, organizations should act swiftly to apply patches and safeguard their infrastructure against potential future exploits.
Patches and Bug Fixes for Versions 23H2 and 22H2
The KB5046633 update applied to versions 23H2 and 22H2 includes similar improvements, such as enhanced notification controls that let users disable prompts directly from the notification or via Settings. The Start menu also received a subtle update, renaming “All apps” to “All” for streamlined navigation.
Several long-standing issues were resolved, including the excessive power drain experienced during Modern Standby. Microsoft Teams connectivity problems when joining meetings from Outlook reminders and regional activation number updates were also addressed.
Addressing Cloud Security: Azure CycleCloud Vulnerability
One of the most severe patches this month is CVE-2024-43602, affecting Azure CycleCloud, a tool integral to managing high-performance computing (HPC) environments. The vulnerability, exploitable with basic permissions, could allow attackers to gain root-level access by sending configuration-modifying requests. The ease of exploiting this flaw underscores the increasing focus on securing cloud-based infrastructure as more organizations shift operations to cloud services.
Feature Enhancements and Visual Updates
Beyond security, version 24H2 received notable changes, such as a fix to the Task Manager bug that displayed zero process counts when “Group by type” was active. Development teams will appreciate the resolution of an issue within the Windows Subsystem for Linux (WSL) that previously restricted access to the Dev Drive.
A design refresh for the Wi-Fi password dialog now aligns it with Windows 11’s overall interface, providing a cohesive user experience. Other user-centric improvements include a new shortcut for Narrator (Narrator key + Ctrl + X), allowing quick copying of spoken content—a handy feature for those frequently interacting with text-based data.
New Customization Options for the Copilot Key
One of the standout features in this update is the customization of the Copilot key. On compatible devices, users can configure the key’s behavior through Settings > Personalization > Text input. This setting allows users to choose between launching the Copilot app, the Microsoft 365 app, or an MSIX-packaged third-party app. The customization does not affect devices without the dedicated Copilot key.
Known Issues and Interim Workarounds
Microsoft acknowledged certain ongoing problems following the release. Users on Arm-based devices reported issues downloading and running Roblox from the Microsoft Store; a temporary solution involves downloading directly from Roblox’s website.
Additionally, enterprise users noted failures with the OpenSSH service post-October updates, which disrupted SSH connectivity. A temporary fix includes modifying directory permissions using PowerShell until Microsoft provides a complete resolution.
These updates are designed for automatic installation through Windows Update, but manual downloads are available from the Microsoft Update Catalog (24H2 and for 23H2 and 22H2). For the 24H2 updates, check out the specific instructions from Microsoft to avoid issues.