Microsofts November Patch Tuesday release addresses 89 vulnerabilities in Windows, SQL Server, .NET and Microsoft Office and three zero-day vulnerabilities (CVE-2024-43451,CVE-2024-49019andCVE-2024-49039) that mean a patch now recommendation for Windows platforms. Unusually, there are a significant number of patch re-releases that might also require administrator attention.The team atReadinesshas provided this infographicoutlining the risks associated with each of the updates for this cycle. (For a rundown of recent Patch Tuesday updates, see Computerworlds round-up here.Known issuesThere were a few reported issues for the September update that have been addressed now, including:Enterprise customers are reporting issues with theSSHservice failing to start on updated Windows 11 24H2 machines. Microsoft recommended updating the file/directory level permissions on the SSH program directories (remember to include the log files). You can read more about this official workaroundhere.It looks like we are entering a new age ofARM compatibility challenges for Microsoft. However, before we get ahead of ourselves, we really need to sort out the (three-month old) Roblox issue.Major revisionsThis Patch Tuesday includes the following major revisions:CVE-2013-390: WinVerifyTrust Signature Validation Vulnerability. This update was originally published in 2013 via TechNet. This update is now made available and is applicable to Windows 10 and 11 users due to a recent change in theEnableCertPaddingCheckWindows API call. We highly recommend a review of this CVE and its associated Q&A documentation. Remember: if you must set your values in the registry, ensure that they are type DWORD not Reg SZ.CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability. When Microsoft updates a CVE (twice) in the same week, and the vulnerability has been publicly disclosed, its time to pay attention. Before you apply this Exchange Server update, we highly recommend a review of the reportedheader detectionissues and mitigating factors.And unusually, we have three kernel mode updates (CVE-2024-43511,CVE-2024-43516andCVE-2024-43528that were re-released in October and updated this month.These security vulnerabilities exploit arace conditionin Microsofts Virtualization Based Security (VBS). Its worth a review of themitigating strategies while you thoroughly test these low-level kernel patches.Testing guidanceEach month, theReadinessteam analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on Windows platforms and application installations.For this release cycle, we have grouped the critical updates and required testing efforts into separate product and functional areas including:Networking:Test end-to-end VPN, Wi-Fi, sharing and Bluetooth scenarios.Test out HTTPclients over SSL.Ensure internet shortcut files (ICS) display correctlySecurity/crypto:After installing the November update on your Certificate Authority (CA) servers, ensure that enrollment and renewal of certificates perform as expected.Test Windows Defender Application Control (WDAC) and ensure that line-of-business apps are not blocked. Ensure that WDAC functions as expected on your Virtual Machines (VM).Filesystem and logging:TheNTFileCopyChunkAPI was updated and will require internal application testing if directly employed. Test the validity of your parameters and issues relating to directory notification.I cannot claim to have anynostalgia for dial-up internet access (though I do have a certain Pavlovian response to the dial-uphandshake sound). For those who are still using this approach to access the internet, the November update to theTAPIAPI has you in mind. A quick (haha) test is required to ensure you can still connect to the internet via dial-up once you update your system.Windows lifecycle and enforcement updatesThere were no product or security enforcements this cycle. However, we do have the following Microsoft products reaching their respective end of servicing terms:Oct. 8, 2024: Windows 11 Enterprise and Education, Version 21H2, Windows 11 Home and Pro, Version 22H2, Windows 11 IoT Enterprise, Version 21H2.Oct. 9, 2024: Microsoft Project 2024 (LTSC)Mitigations and workaroundsMicrosoft published the following mitigations applicable to this Patch Tuesday.CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability. As this vulnerability has been publicly disclosed, we need to take it seriously. Microsoft has offered some mitigation strategies during the update/testing/deployment for most enterprises that include:Remove overly broad enroll or auto-enroll permissions.Remove unused templates from certification authorities.Secure templates that allow you to specify the subject in the request.As most enterprises employ Microsoft Active Directory, we highly recommend a review of thisknowledge note from Microsoft.Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:Browsers (Microsoft IE and Edge);Microsoft Windows (both desktop and server);Microsoft Office;Microsoft Exchange Server;Microsoft Development platforms (ASP.NETCore, .NET Core and Chakra Core);Adobe (if you get this far).BrowsersMicrosoft released a single update specific to Microsoft Edge (CVE-2024-49025), and two updates for the Chromium engine that underpins the browser (CVE-2024-10826andCVE-2024-10827). Theres a brief note on thebrowser update here. We recommend adding these low-profile browser updates to your standard release schedule.WindowsMicrosoft released two (CVE-2024-43625andCVE-2024-43639) patches with a critical rating and another 35 patches rated as important by Microsoft. This month the following key Windows features have been updated:Windows Update Stack (note: installer rollbacks may be an issue);NT OS, Secure Kernel and GDI;Microsoft Hyper-V;Networking, SMB and DNS;Windows Kerberos.Unfortunately, these Windows updates have been publicly disclosed or reported as exploited in the wild, making themzero-day problems:CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability.CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege.CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability.Add these Windows updates to yourPatch Nowrelease cadence.Microsoft OfficeMicrosoft pushed out six Microsoft Office updates (all rated important) that affect SharePoint, Word and Excel. None of these reported vulnerabilities involve remote access or preview pane issues and have not been publicly disclosed or exploited in the wild. Add these updates to your standard release schedule.Microsoft SQL (nee Exchange) ServerYou want updates to Microsoft SQL Server? We got em: 31 patches to the SQL Server Native client this month. Thats a lot of patches, even for a complex product like Microsoft SQL Server. These updates appear to be the result of a major clean-up effort from Microsoft addressing the following reported security vulnerabilities:CWE-122: Heap-based Buffer OverflowCWE-416: Use After FreeThe vast majority of theseSQL Server Native Clientupdates address theCWE-122related buffer overflow issues. Note: these patches update the SQL Native client, so this is a desktop, not a server, update. Crafting a testing profile for this one is a tough call. No new features have been added, and no high-risk areas have been patched. However, many internal line-of-business applications rely on these SQL client features. We recommend that your core business applications be tested before this SQL update, otherwise add it to your standard release schedule.Boot note: Remember that there is a major revision toCVE-2024-49040 this could affect the SQL Server server side of things.Microsoft development platformsMicrosoft released one critical-rated update (CVE-2024-43498) and three updates rated as important for Microsoft .NET 9 and Visual Studio 2022. These are pretty low-risk security vulnerabilities and very specific to these versions of the development platforms. They should present a reduced testing profile. Add these updates to your standard developer schedule this month.Adobe Reader (and other third-party updates)Microsoft did not publish any Adobe Reader-related updates this month. The companyreleased three non-Microsoft CVEs covering Google Chrome and SSH (CVE-2024-5535). Given the update to Windows Defender (as a result of the SSH issue), Microsoft also published a list of Defendervulnerabilities and weaknessesthat might assist with your deployments.

The EU, which is now developing guidelines for how the regions new AI law must be complied with, has started collecting opinions in two areasvia an online survey.The first area involves how the law should define AI systems (compared to traditional software). Here, the EU wants to hear from people in the AI industry, companies, academics and civil society. The second area concerns when the use of AI should be prohibited. The EU wants detailed feedback on each prohibited use and is particularly interested in practical examples.Points will be collected using the survey until Dec. 11, and the European Commission expects to publish guidelines regarding the definition of AI systems and any prohibited uses in early 2025.

This article first appeared in The Checkup,MIT Technology Reviewsweekly biotech newsletter. To receive it in your inbox every Thursday, and read articles like this first,sign up here.Every journalist has favorite topics. Regular Checkup readers might already know some of mine, which include the quest to delay or reverse human aging, and new technologies for reproductive health and fertility. So when I saw trailers for The Substance, a film centered on one middle-aged womans attempt to reexperience youth, I had to watch it.I wont spoil the movie for anyone who hasnt seen it yet (although I should warn that it is not for the squeamish, or anyone with an aversion to gratuitous close-ups of bums and nipples). But a key premise of the film involves harmful attitudes toward female aging.Hey, did you know that a womans fertility starts to decrease by the age of 25? a powerful male character asks early in the film. At 50, it just stops, he later adds. He never explains what stops, exactly, but to the viewer the message is pretty clear: If youre a woman, your worth is tied to your fertility. Once your fertile window is over, so are you.The insidious idea that womens bodies are, above all else, vessels for growing children has plenty of negative consequences for us all. But it has also set back scientific research and health policy.Earlier this week, I chatted about this with Alana Cattapan, a political scientist at the University of Waterloo in Ontario, Canada. Cattapan has been exploring the concept of women of reproductive agea descriptor that is ubiquitous in health research and policy.The idea for the research project came to her when the Zika virus was making headlines around eight years ago. I was planning on going to the Caribbean for a trip related to my partners research, and I kept getting advice that women of reproductive age shouldnt go, she told me. At the time, Zika was being linked to microcephalyunusually small headsin newborn babies. It was thought that the virus was affecting key stages of fetal development.Cattapan wasnt pregnant. And she wasnt planning on becoming pregnant at the time. So why was she being advised to stay away from areas with the virus?The experience got her thinking about the ways in which attitudes toward our bodies are governed by the idea of potential pregnancy. Take, for example, biomedical research on the causes and treatment of disease. Womens health has lagged behind mens as a focus of such work, for multiple reasons. Male bodies have long been considered the default human form, for example. And clinical trials have historically been designed in ways that make them less accessible for women.Fears about the potential effects of drugs on fetuses have also played a significant role in keeping people who have the potential to become pregnant out of studies. Scientific research has excluded women of reproductive age, or women who might potentially conceive, in a blanket way, says Cattapan. The research that we have on many, many drugs does not include women and certainly doesnt include women in pregnancy.This lack of research goes some way to explaining why women are much more likely to experience side effects from drugssome of them fatal. Over the last couple of decades, greater effort has been made to include people with ovaries and uteruses in clinical research. But we still have a long way to go.Women are also often subjected to medical advice designed to protect a potential fetus, whether they are pregnant or not. Official guidelines on how much mercury-containing fish it is safe to eat can be different for women of childbearing age, according to the US Environmental Protection Agency, for example. And in 2021, the World Health Organization used the same language to describe people who should be a focus of policies to reduce alcohol consumption.The takeaway message is that its women who should be thinking about fetal health, says Cattapan. Not the industries producing these chemicals or the agencies that regulate them. Not even the men who contribute to a pregnancy. Just women who stand a chance of getting pregnant, whether they intend to or not. It puts the onus of the health of future generations squarely on the shoulders of women, she says.Another problem is the language itself. The term women of reproductive age typically includes women between 15 and 44. Women at one end of that spectrum will have very different bodies and a very different set of health risks from those at the other. And the term doesnt account for people who might be able to get pregnant but dont necessarily identify as female.In other cases it is overly broad. In the context of the Zika virus, for example, it was not all women between the ages of 15 and 44 who should have considered taking precautions. The travel advice didnt apply to people whod had hysterectomies or did not have sex with men, for example, says Cattapan. Precision here matters, she says.More nuanced health advice would be helpful in cases like these. Guidelines often read as though theyre written for people assumed to be stupid, she adds. I dont think that needs to be the case.Another thingOn Thursday, president-elect Donald Trump said that he will nominate Robert F. Kennedy Jr. to lead the US Department of Health and Human Services. The news was not entirely a surprise, given that Trump had told an audience at a campaign rally that he would let Kennedy go wild on health, the foods, and the medicines.The role would give Kennedy some control over multiple agencies, including the Food and Drug Administration, which regulates medicines in the US, and the Centers for Disease Control and Prevention, which coordinates public health advice and programs.Thats extremely concerning to scientists, doctors, and health researchers, given Kennedys positions on evidence-based medicine, including his antivaccine stance. A few weeks ago, in a post on X, he referred to the FDAs aggressive suppression of psychedelics, peptides, stem cells, raw milk, hyperbaric therapies, chelating compounds, ivermectin, hydroxychloroquine, vitamins, clean foods, sunshine, exercise, nutraceuticals and anything else that advances human health and cant be patented by Pharma.If you work for the FDA and are part of this corrupt system, I have two messages for you, continued the post. 1. Preserve your records, and 2. Pack your bags.Theres a lot to unpack here. But briefly, we dont yet have good evidence that mind-altering psychedelic drugs are the mental-health cure-alls some claim they are. Theres not enough evidence to support the many unapproved stem-cell treatments sold by clinics throughout the US and beyond, either. These treatments can be dangerous.Health agencies are currently warning against the consumption of raw unpasteurized milk, because it might carry the bird flu virus that has been circulating in US dairy farms. And its far too simplistic to lump all vitamins togethersome might be of benefit to some people, but not everyone needs supplements, and high doses can be harmful.Kennedys 2021 book The Real Anthony Fauci has already helped spread misinformation about AIDS. Here at MIT Technology Review, well continue our work reporting on whatever comes next. Watch this space.Now read the rest of The CheckupRead more from MIT Technology Reviews archiveThe tech industry has a gender problem, as the Gamergate and various #MeToo scandals made clear. A new generation of activists is hoping to remedy it.Male and female immune systems work differently. Which is another reason why its vital to study both women and female animals as well as males.Both of the above articles were published in the Gender issue of MIT Technology Review magazine. You can read more from that issue online here.Women are more likely to receive abuse online. My colleague Charlotte Jee spoke to the technologists working on an alternative way to interact online: a feminist internet.From around the webThe scientific community and biopharma investors are reacting to the news of Robert F. Kennedy Jr.s nomination to lead the Department of Health and Human Services. Its hard to see HHS functioning, said one biotech analyst. (STAT)Virologist Beata Halassy successfully treated her own breast cancer with viruses she grew in the lab. She has no regrets. (Nature)Could diet influence the growth of endometriosis lesions? Potentially, according to research in mice fed high-fat, low-fiber Western diets. (BMC Medicine)Last week, 43 female rhesus macaque monkeys escaped from a lab in South Carolina. The animals may have a legal claim to freedom. (Vox)

This is todays edition ofThe Download,our weekday newsletter that provides a daily dose of whats going on in the world of technology.How this grassroots effort could make AI voices more diverseWe are on the cusp of a voice AI boom, as tech companies roll out the next generation of artificial-intelligence-powered assistants. But the default voices for these assistants are often white AmericanBritish, if youre luckyand most definitely speak English. And if youre one of the billions of people who dont speak English, bad luck: These tools dont sound nearly as good in other languages.This is because the data that has gone into training these models is limited. In AI research, most data used to train models is extracted from the English-language internet, which reflects Anglo-American culture. But there is a massive grassroots effort underway to change this status quo and bring more transparency and diversity to what AI sounds like. Read the full story.Melissa HeikkilAzalea: a science-fiction storyFancy something fiction to read this weekend? If you enjoy Sci-Fi, check out this story written by Paolo Bacigalupi, featured in the latest edition of our print magazine. It imagines a future shaped by climate changeread it for yourself here.The must-readsIve combed the internet to find you todays most fun/important/scary/fascinating stories about technology.1 Cruise has admitted to falsifying a crash reportThe report failed to mention that its robotaxi dragged a pedestrian after striking her. (San Francisco Chronicle)+ The firm has been fined $500,000 to resolve the criminal charges. (WP $)2 The US plans to investigate Microsofts cloud businessAs the Biden administration prepares to hand over power to Donald Trumps team. (FT $)3 Silicon Valley hates regulation. So does Trump.AI and energy ventures could be the first to prosper under lighter-touch governance. (WP $)+ Peter Thiel claims the tech industry is fed up with wokeness. (Insider $)4 Elon Musks cost-cutting team will be working 80+ hours a weekAnd youll need to subscribe to X to apply. (WSJ $)+ As if that wasnt appealing enough, the positions are also unpaid. (NBC News)+ The lucky workers can expect a whole lot of meetings. (Bloomberg $)5 The trolls are in charge nowAnd its increasingly unclear whats a joke and whats an actual threat. (The Atlantic $)+ Its possible, but not guaranteed, that Trumps more controversial cabinet picks will be defeated in the Senate. (New Yorker $)6 How to keep abortion plans private in the age of TrumpReproductive rights are under threat. Heres how to protect them. (The Markup)7 The first mechanical Qubit is hereAnd mechanical quantum computers could be the first to benefit. (IEEE Spectrum)+ Quantum computing is taking on its biggest challenge: noise. (MIT Technology Review)8 Can Bluesky recapture the old Twitters magic?No algorithms, no interfering billionaires. (Vox)+ More than one million new users joined the platform earlier this week. (TechCrunch)9 Weight-loss drugs could help to treat chronic painAnd could present a safer alternative to opioids. (New Scientist $)+ Weight-loss injections have taken over the internet. But what does this mean for people IRL? (MIT Technology Review)10 These are the most expensive photographs ever takenThe first human-taken pictures from space are truly awe-inspiring. (The Guardian)Quote of the dayIt feels like its a platform for and by real people.US politician Alexandria Ocasio-Cortez tells the Washington Post about the appeal of Bluesky as users join the social network after abandoning X.The big storyHow environmental DNA is giving scientists a new way to understand our worldFebruary 2024Environmental DNA is a relatively inexpensive, widespread, potentially automated way to observe the diversity and distribution of life.Unlike previous techniques, which could identify DNA from, say, a single organism, the method also collects the swirling cloud of other genetic material that surrounds it. It can serve as a surveillance tool, offering researchers a means of detecting the seemingly undetectable.By sampling eDNA, or mixtures of genetic material in water, soil, ice cores, cotton swabs, or practically any environment imaginable, even thin air, it is now possible to search for a specific organism or assemble a snapshot of all the organisms in a given place.It offers a thrilling and potentially chilling way to collect information about organisms, including humans, as they go about their everyday business. Read the full story.Peter Andrey SmithWe can still have nice thingsA place for comfort, fun and distraction to brighten up your day. (Got any ideas? Drop me a line or tweet em at me.)+ Smells like punk spirit.+ If youve been feeling creaky lately (and who hasnt), give these mobility exercises a go.+ Talk about a glow upthese beautiful locations really do emanate light.+ Its the truly chilling collab we never knew we needed: Bon Jovi has joined forces with Mr Worldwide himself, Pitbull.

Apple's iOS 18 update includes a Maps Library feature for all of your saved and pinned locations to live, making them easier to find later. Here's how to use it on your iPhone.iOS 18 adds a new Library feature to the iPhone's Apple Maps app.Adding new locations to the new iOS 18 Apple Maps library is easy and iPhone owners will be able to do so in a couple of different ways. We're going to run you through both so that you can make the most out of an Apple Maps feature that will make it easier and quicker than ever to get to where you want to go. Continue Reading on AppleInsider | Discuss on our Forums

The Radio Free Europe/Radio Liberty news app has been removed from the App Store in Russia, in another case of the state mandating what apps are allowed.The App Store is a powerful digital ecosystem.The move comes less than a month after the Russian authorities had Apple remove Current Time, the independent media service and website run by the same Radio Free Europe/Radio Liberty (RFE/RL) organization. According to RFE/RL, Apple notified the organization of the app's removal following a request by Russian media regulator Roskomnadzor.In that previous case, Roskomnadzor is reported to have told Apple that the app contained "undesirable" material. This time, the regulator is said to have used the same word to describe RFE/RL's overall activities within Russia. Continue Reading on AppleInsider | Discuss on our Forums

Designed by Arroyo Solis Agraz in Mexico City, the Brutalist House is a bold composition, creating strong contrast of light and shadow in its interior and exterior spaceshttps://www.e-architect.com/mexico/brutalist-house-mexico-city-property#mexicocity #brutalistarchitecture #brutalistdesign #houseDesigned by Arroyo Solis Agraz in Mexico City, the Brutalist House is a bold composition, creating strong contrast of light and shadow

Casa de Zanotta, by HAS in Hefei, China, has great emphasis placed upon calm, soothing interior spaces which contrast the citys busy streetshttps://www.e-architect.com/china/casa-de-zanotta-hefei-china-property#China #calming #soothing #interiorspaces #architectureCasa de Zanotta, by HAS in Hefei, China, has great emphasis placed upon calm, soothing interior spaces which contrast the city's busy streets

Exciting News! ARCHITECT Magazines 2024 Residential Architect Design Awards are now accepting submissions. Showcase your talent and creativity in residential design by entering your project before January 7, 2025! This year's categories include custom homes, affordable housing, and a unique "Fireplace" category, sponsored by Hearth & Home. Winners in this category will receive a trip to the International Builders Show in Las Vegas! Don't miss this chance to elevate your work and gain industry recognition. Early entry deadline: December 1, 2024. Visit https://bit.ly/4fvgo64 to learn more and submit your entry! #RADA2024 #Architecture #DesignAwards #ResidentialDesignhttps://bit.ly/40KrFuXARCHITECT's annual program celebrating the best residential designs will now accept entries through Tuesday, January 7, 2025.

Journey to the Edge of Art in Tasmania! If youre looking for an unforgettable art experience, MONA in Tasmania is the place. Created by David Walsh, this museum offers a surreal journey blending ancient artifacts with modern art installations, all set in an underground cliffside labyrinth. From breathtaking light shows to provocative installations, MONA is like nothing else. Whos ready for an adventure?#MONA #ArtMuseum #TasmaniaTravel #DavidWalsh #ArtLovers #ExploreTasmania #BucketListArtIn Tasmanias surreal art haven, MONA redefines the museum experience, blending ancient echoes with avant-garde creations in a labyrinth of raw stone and vivid dreams.