Admins can give thanks this November for dollops of Microsoft patches

Patch Tuesday Patch Tuesday has swung around again, and Microsoft has released fixes for 89 CVE-listed security flaws in its products – including two under active attack – and reissued three more.

According to the IT giant, the first exploited flaw – CVE-2024-49039 – would allow privilege escalation thanks to an error in Windows Task Scheduler. Redmond warns that the CVSS 8.8-rated issue can be – and apparently has been – exploited using a low-privilege AppContainer. The upshot is that someone or something rogue on a vulnerable computer can use the bug to meddle with the box in a way they shouldn't be able to.

"An attacker must first gain access to the system, subsequently running a specifically crafted application to exploit the vulnerability," explained Henry Smith, senior security engineer at Automox.

"This could lead to unauthorized execution of privileged RPC functions, potentially allowing the creation of new users or modification of system settings ...