November 2024 Patch Tuesday forecast: New servers arrive early
November 2024 Patch Tuesday is now live:
Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)
Microsoft followed their October precedent set with Windows 11 24H2 and announced Microsoft Server 2025 on the first of November. We were expecting the official announcement at Microsoft Ignite near the end of the month, but with the early release, early users and Ignite attendees can have more in-depth discussions due to product familiarity.
Before we dig into some of the security enhancements and features in the new server, let’s take a quick look at October 2024 Patch Tuesday. Microsoft was busy resolving 91 vulnerabilities in Windows 10 and 68 in Windows 11. Three of the vulnerabilities were publicly disclosed and rated Important; two more were both publicly disclosed and known exploited and rated Important and Moderate. All of these vulnerabilities were associated with the Microsoft operating systems. Two vulnerabilities were also addressed in the .NET framework updates. The usual Office updates rounded out the Patch Tuesday updates.
The list of new features in Server 2025 is extensive, but I want to focus on a few security features of interest. Server 2025 introduces hotpatching which updates the running system in memory through Azure Arc. This will reduce the number of reboots while instantly improving the security of the system.
Active Directory has a number of improvements which provide the latest protocols, hardening and encryption options. Per Microsoft “Windows Server 2025 includes SMB over QUIC to enable secure access to file shares over the internet. SMB security also adds hardened firewall defaults, brute force attack prevention, and protections for man in the middle attacks, relay attacks, and spoofing attacks.” And one last feature of note, it includes Delegate Managed Service Accounts (dMSA) through which permissions can be delegated to access resources in the domain reducing security risk. Be sure to check out all the other new features and enhancements in this new server. Microsoft Server 2025 is a Long-Term Servicing Channel (LTSC) release for Windows Server.
Google’s Mandiant security team provided a very eye-opening report on some recent vulnerability exploitation trends. They examine the Time to Exploit (TTE) defined as the average time taken to exploit a vulnerability before or after a patch is released. To paraphrase their findings, through 2018 to 2019, the TTE averaged 63 days. This number dropped progressively over the various time periods they analyzed (see report), to the point that in 2023, they observed the largest drop in TTE thus far, with an average of just five days.
They also conducted an analysis of zero-days (vulnerabilities exploited before patches are made available, excluding end-of-life technologies) versus n-days (vulnerabilities first exploited after patches are available). Mandiant tracked 138 vulnerabilities that were disclosed in 2023 and exploited in the wild and found 97 were exploited as zero-days and 41 were exploited as n-days.
The main takeaway they found for us in the patch business is “exploitation was most likely to occur within the first month of a patch being made available for an already disclosed vulnerability.” The implication is clear that we need to prioritize and deploy our updates using a risk-based, quick turnaround strategy.
In case you missed it last month, the final updates were released for Windows 11, 21H2 Enterprise and Education versions, and Windows 11 22H2 Home and Professional. If you are still running these operating systems, you need to update because there are no new security fixes and new vulnerabilities are sure to be announced.
November 2024 Patch Tuesday forecast
- I anticipate Microsoft will keep up their accelerated CVE release schedule this month and then pull back for Ignite, the holidays and year end. Expect the usual set of updates for all the operating systems and the Office suites.
- I expect the next major update for Acrobat and Reader next month, but we may see a minor update next week. Last release was September Patch Tuesday.
- Apple just released Ventura 13.7.1, Sonoma 14.7.1 and Sequoia 15.1 on October 28th. Make sure they are in your latest round of deployments next week.
- The next stable channel updates for Google Chrome are expected next Tuesday as usual.
- The Mozilla Foundation their major security updates last week which included Thunderbird ESR 128.4 and Thunderbird 132, Firefox ESR 115.17, Firefox ESR 128.4, and finally Firefox 132. As with the Apple updates, nothing else is expected so include these in your deployments as well.
The usual patches from Microsoft, and a small update from Adobe, make for a standard Patch Tuesday. For those of you here in the US, it is a bit early but I wish you a Happy Thanksgiving!