Microsoft has released its November security update to address a total of 90 vulnerabilities, including four critical ones. The company warned that two of these vulnerabilities are currently under active exploitation in the wild.
The most severe vulnerability is CVE-2024-49039, which could allow attackers to execute RPC functions restricted to privileged accounts. However, successful exploitation requires an authenticated attacker to run a specially crafted application on the target system.
Another critical vulnerability, CVE-2024-43639, affects Windows Kerberos and can be abused by unauthenticated attackers to perform remote code execution. Microsoft also patched a non-Microsoft issued vulnerability in OpenSSL (CVE-2024-5535), which requires an attacker to send a malicious link via email or convince a user to click on it.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. Microsoft’s adoption of the Common Security Advisory Framework (CSAF) aims to accelerate response and remediation efforts.
In addition to Microsoft, other vendors such as Adobe, Amazon Web Services, Apple, and numerous hardware companies have released security updates to address various vulnerabilities.
Source: https://thehackernews.com/2024/11/microsoft-fixes-90-new-vulnerabilities.html