News
Microsoft Ends 2024 with 1 Zero-Day Flaw Fix, 71 CVEs
December's Microsoft patch has arrived, featuring the last security fixes for the year. With the total of 71 Common Vulnerabilities and Exposures (CVEs) for the month, this makes it the third smallest monthly patch delivery for 2024 (behind January and June
The good news is the smaller number of items. The bad news is that a zero-day flaw is included in there. IT's top priority should be handling CVE-2024-49138, an elevation of privilege flaw in the Windows Common Log File System that is both publicly disclosed and is being actively attacked. While Microsoft has not provided many details on this flaw, the company said that "an attacker who successfully exploited this vulnerability could gain SYSTEM privileges."
Microsoft said the flaw targets every supported version of Windows OS and Windows Server, so time is of the essence for getting this patched and protecting your environment.
Once that has been taken care of, it's recommended that IT focus on the 16 items rated "critical." The headline item is CVE-2024-49112, a remote code execution vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). While the flaw has not yet been seen being exploited in the wild, it does carry a severity rating of 9.8 (out of 10), so expect attacks in the near future.
For those unable to update, Microsoft does have a temporary workaround to keep your environment safe: "Ensure that domain controllers are configured either to not access the internet or to not allow inbound RPC from untrusted networks. While either mitigation will protect your system from this vulnerability, applying both configurations provides an effective defense-in-depth against this vulnerability."
Closing Internet access to domain controllers is not just good advice for avoiding exploitation from this specific item, but should be standard operating procedure for IT, according to Tyler Reguly, associate director of Security R&D at global security firm Fortra.
"Microsoft has provided mitigations that are really just proper security hygiene but serve as a good reminder for enterprises," commented Reguly. "Domain controllers should either not access the internet or not allow inbound RPC from untrusted networks. If you are following the DISA STIG for Active Directory Domains, you should already have Finding V-243475 implemented, which states, 'Domain controllers must be blocked from Internet access.'"
An interesting note about this month's batch is that out of the 16 critical bulletins, nine items address remote code execution issues in Windows Remote Desktop Services. It's been targeted and patched many times over the year, and continues to be a target for attackers to gain access to users' systems.
Here are the remaining six critical items for the month:
- CVE-2024-49126: Remote code execution vulnerability in Windows Local Security Authority Subsystem Service (LSASS).
- CVE-2024-49127: Remote code execution vulnerability in Windows Lightweight Directory Access Protocol (LDAP).
- CVE-2024-49117: Remote code execution vulnerability in Windows Hyper-V.
- CVE-2024-49122: Remote code execution vulnerability in Microsoft Message Queuing (MSMQ).
- CVE-2024-49118: Remote code execution vulnerability in Microsoft Message Queuing (MSMQ).
- CVE-2024-49124: Remote code execution vulnerability in Windows Lightweight Directory Access Protocol (LDAP).
The full list of this month's bulletins can be found here.