Application Management and Patching
November 2024 Third-Party Patches: Notable Vulnerabilities and Updates
Good news from the land of third-party application patch management: according to Recast Application Workspace data, November saw only 53 vulnerable products with 88 unique vulnerabilities. This represents a significant decrease, being only half of October’s numbers. Seventeen different software vendors released 82 patches to remediate these vulnerabilities.
Notable Vulnerabilities in November 2024 Third-Party Patches
Several critical vulnerabilities were patched in November. First, the remote code execution vulnerability CVE-2024-43498 affects multiple Microsoft products such as .NET Runtime 9.0, Microsoft Visual Studio 2022 Community, and Windows Desktop Runtime 9.0. The CVSS rating for this vulnerability is 9.8. More information can be found at the Microsoft Security Response Center (MSRC).
Mozilla addressed three critical vulnerabilities, each with a CVSS score of 9.8:
- CVE-2024-11693 affects Firefox, Thunderbird, and Waterfox (a free and open-source web browser forked from Firefox). This vulnerability affects applications running on Windows operating systems and relates to the absence of file warnings when downloading .library-ms files. More details are available in the Mozilla Foundation’s Security Advisory.
- CVE-2024-11698 affects Firefox, Thunderbird, and Waterfox on macOS. A flaw in handling fullscreen transitions could inadvertently cause the application to become stuck in fullscreen mode. Additional information is provided by the Mozilla Foundation.
- CVE-2024-11704 is a double-free issue that could occur in sec_pkcs7_decoder_start_decrypt() when handling an error path, potentially leading to memory corruption under specific conditions. This vulnerability affects Firefox and Thunderbird versions older than 133. More information can be found here.
Additionally, Mozilla remediated a vulnerability with a CVSS score of 9.1 that affects Firefox on the Android operating system:
- CVE-2024-11703 could allow saved passwords to be viewed without device PIN authentication.
Finally, the vulnerability CVE-2024-11705 involves NSC_DeriveKey mistakenly assuming that the phKey parameter would never be NULL. When a NULL value is passed, it causes a segmentation fault (SEGV), resulting in crashes. More information is provided in the Mozilla’s Security Advisory.
TechSmith Corporation updated OpenSSL to version 3.3.2 for Snagit 2024 for Mac, remediating the vulnerability CVE-2021-3711 with a CVSS score of 9.8. More information about the vulnerability can be found in an OpenSSL Security Advisory. The Snagit Mac version history provides more details about the update.
Browser Security Updates in November 2024
| Browser | Vulnerabilities | Updates |
| Google Chrome | 11 | 3 |
| Microsoft Edge | 26 | 4 |
| Brave Browser | 11 | 3 |
| Firefox | 16 | 1 |
| Firefox ESR 115 | 2 | 1 |
| Firefox ESR 128 | 15 | 2 |
| Waterfox | 8 | 1 |
Microsoft Product Updates Included in November 2024 Third-Party Patches
In addition to Edge, Microsoft released updates for the following products:
- Microsoft .NET Runtime 9.0
- Microsoft .NET SDK 9.0
- Microsoft 365 Apps
- Microsoft ASP.NET Core Runtime 9.0
- Microsoft ASP.NET Core Runtime Hosting Bundle 9.0
- Microsoft Azure CLI
- Microsoft Visual Studio 2022 Community
- Microsoft Visual Studio 2022 Enterprise
- Microsoft Visual Studio 2022 Professional
- Microsoft Visual Studio Team Explorer 2022
- Microsoft Windows Desktop Runtime 9.0
- OpenJDK 17
Detailed List of November 2024 Third-Party Patches
For a complete list of applications, versions, and the number of remediated vulnerabilities, see the table below generated using Application Workspace data.
| Product | Version | Vulnerabilities remediated |
| Apache Tomcat 10 | 10.1.33 | 1 |
| Apache Tomcat 11 | 11.0.1 | 1 |
| Apache Tomcat 9 | 9.0.97 | 1 |
| Autodesk Revit 2022 | 2022.1.8 | 1 |
| Brave Browser | 1.71.123 | 2 |
| Brave Browser | 1.73.89 | 8 |
| Brave Browser | 1.73.91 | 1 |
| Datadog Agent | 7.59.0 | 1 |
| Notepad++ | 8.7.1 | 1 |
| EnterpriseDB Corporation PostgreSQL 12 | 12.21.1 | 4 |
| EnterpriseDB Corporation PostgreSQL 13 | 13.17.1 | 4 |
| EnterpriseDB Corporation PostgreSQL 14 | 14.14.1 | 4 |
| EnterpriseDB Corporation PostgreSQL 15 | 15.9.1 | 4 |
| EnterpriseDB Corporation PostgreSQL 16 | 16.5.1 | 4 |
| EnterpriseDB Corporation PostgreSQL 17 | 17.1 | 4 |
| Google Chrome for Business | 130.0.6723.117 | 2 |
| Google Chrome for Business | 131.0.6778.70 | 8 |
| Google Chrome for Business | 131.0.6778.86 | 1 |
| WebStorm 2024 | 2024.3 | 1 |
| Mendix 8 | 8.18.32.47597 | 1 |
| Microsoft .NET Runtime 9.0 | 9.0.0 | 2 |
| Microsoft .NET SDK 9.0 | 9.0.100 | 2 |
| Microsoft 365 Apps | 16.91.24111020 | 7 |
| Microsoft 365 Apps | 2410 (Build 16.0.18129.20158) | 8 |
| Microsoft 365 Apps | 2409 (Build 16.0.18025.20214) | 8 |
| Microsoft ASP.NET Core Runtime 9.0 | 9.0.0 | 2 |
| Microsoft ASP.NET Core Runtime Hosting Bundle 9.0 | 9.0.0 | 2 |
| Microsoft Azure CLI | 2.66.0 | 5 |
| Microsoft Edge for Business | 130.0.2849.80 | 2 |
| Microsoft Edge for Business | 131.0.2903.48 | 18 |
| Microsoft Edge for Business | 131.0.2903.63 | 2 |
| Microsoft Edge for Business | 131.0.2903.70 | 4 |
| Microsoft Edge WebDriver | 131.0.2903.70 | 4 |
| Microsoft Edge Webview2 Runtime | 131.0.2903.70 | 4 |
| Microsoft Visual Studio 2022 Community | 17.12.35506.116 | 3 |
| Microsoft Visual Studio 2022 Enterprise | 17.12.35506.116 | 3 |
| Microsoft Visual Studio 2022 Enterprise | 17.10.35431.56 | 3 |
| Microsoft Visual Studio 2022 Enterprise | 17.6.35430.205 | 3 |
| Microsoft Visual Studio 2022 Enterprise | 17.8.35430.204 | 3 |
| Microsoft Visual Studio 2022 Professional | 17.12.35506.116 | 3 |
| Microsoft Visual Studio 2022 Professional | 17.10.35431.56 | 3 |
| Microsoft Visual Studio 2022 Professional | 17.6.35430.205 | 3 |
| Microsoft Visual Studio 2022 Professional | 17.8.35430.204 | 3 |
| Microsoft Visual Studio Team Explorer 2022 | 17.12.35506.116 | 3 |
| Microsoft Windows Desktop Runtime 9.0 | 9.0.0 | 2 |
| OpenJDK 17 | 17.0.13.11 | 6 |
| Pale Moon | 33.4.1 | 3 |
| Mozilla Firefox | 133.0 | 16 |
| Mozilla Firefox | 133.0 | 15 |
| Mozilla Firefox ESR 115 | 115.18.0 | 2 |
| Mozilla Firefox ESR 128 | 128.5.0 | 8 |
| Mozilla Firefox ESR 128 | 128.5.0 | 7 |
| Mozilla Thunderbird ESR 128 | 128.4.3 | 1 |
| Mozilla Thunderbird ESR 128 | 128.5.0 | 8 |
| Mozilla Thunderbird ESR 128 | 128.5.0 | 7 |
| Electron | 31.7.4 | 3 |
| Electron | 31.7.5 | 2 |
| Electron | 32.2.3 | 4 |
| Electron | 32.2.5 | 2 |
| Red Hat OpenJDK | 11.0.25.0.9 | 5 |
| Red Hat OpenJDK | 17.0.13.0.11 | 5 |
| Red Hat OpenJDK | 21.0.5.0.11 | 5 |
| Red Hat OpenJDK | 1.8.4321.6 | 5 |
| Red Hat OpenJDK | 1.8.0.422.5 | 6 |
| Red Hat OpenJDK | 1.8.0.432.6 | 5 |
| Red Hat OpenJDK JRE | 11.0.25.0.9 | 5 |
| Red Hat OpenJDK JRE | 17.0.13.0.11 | 5 |
| Red Hat OpenJDK JRE | 21.0.5.0.11 | 5 |
| Red Hat OpenJDK JRE | 8.0.432 | 5 |
| IBM Semeru Runtime Open Edition JDK 11 (LTS) | 11.0.25.9 | 4 |
| IBM Semeru Runtime Open Edition JDK 17 (LTS) | 17.0.13.11 | 4 |
| IBM Semeru Runtime Open Edition JDK 21 | 21.0.5.11 | 4 |
| IBM Semeru Runtime Open Edition JDK 8 (LTS) | 8.0.432.6 | 4 |
| IBM Semeru Runtime Open Edition JRE 11 (LTS) | 11.0.25.9 | 4 |
| IBM Semeru Runtime Open Edition JRE 17 (LTS) | 17.0.13.11 | 4 |
| IBM Semeru Runtime Open Edition JRE 21 | 21.0.5.11 | 4 |
| IBM Semeru Runtime Open Edition JRE 8 (LTS) | 8.0.432.6 | 4 |
| Camtasia Studio 2022 | 2022.5.7.278 | 1 |
| Snagit 2024 | 2024.4.0 | 2 |
| Waterfox | 6.5.2 | 8 |
Conclusion
Timely third-party patching remains crucial for maintaining the security and performance of your IT environment. The November 2024 updates addressed several critical vulnerabilities across a range of applications. By prioritizing these patches, you help protect your systems from potential exploits and ensure ongoing operational stability.
To further understand the impact of third-party patching on your security, explore the eBook Reduce Your Attack Footprint and follow our App Management and Patching thread.
