Getty Images/iStockphoto
December Patch Tuesday shuts down Windows zero-day
Microsoft addresses 72 vulnerabilities, including 17 rated critical. Administrators should focus on patching the Windows OS to stop a flaw that has been exploited in the wild.
Any admins who were hoping to knock off early for the holidays will have to first deal with a Windows zero-day that affects all supported server and client systems.
In total, Microsoft delivered 72 new CVEs and revised five older ones for a total of 77. In terms of severity level, 17 were critical, 54 were important and one was moderate. Of the new CVEs, more than 70% affect the Windows OS with the rest in Microsoft Office, SharePoint Server, Hyper-V, Defender for Endpoint, System Center Operations Manager and one developer tool related to an AI music project.
Microsoft also issued a Microsoft Office defense-in-depth advisory to improve security for 16- and 32-bit versions of Microsoft Project 2016.
Windows zero-day hits server and client systems
Admins will want to focus their patching priority on the Windows OS to eradicate a Windows zero-day that affects all supported desktop and server systems.
CVE-2024-49138 is a Windows Common Log File System Driver elevation-of-privilege vulnerability rated important. Microsoft confirmed the bug was publicly disclosed and had been detected in the wild.
"With risk-based prioritization, admins should treat this as critical. This is a big one," said Chris Goettl, vice president of product management for security products at Ivanti.
The CVE has a CVSS 7.8 rating. The attacker needs local access or user interaction, such as tricking the user to open a malicious document, to exploit the vulnerability. If successful, the attacker could get system-level privileges and gain full control of the device.
Other security updates of note for December Patch Tuesday
A critical remote-code execution vulnerability (CVE-2024-49112) in the Windows Lightweight Directory Access Protocol (LDAP) has this month's highest CVSS score of 9.8 and affects Windows Server and desktop systems.
LDAP is the protocol Active Directory uses to perform several functions, including user authentication and authorization. The attacker needs network access to attempt an exploit by sending a specially crafted LDAP request to a vulnerable system. If successful, they can access sensitive information, modify protected files or crash the system.
"Ensure that domain controllers are configured either to not access the internet or to not allow inbound [Remote Procedure Calls] from untrusted networks. While either mitigation will protect your system from this vulnerability, applying both configurations provides an effective defense-in-depth against this vulnerability," Microsoft wrote in the CVE notes.
A System Center Operations Manager (SCOM) elevation-of-privilege vulnerability (CVE-2024-43594) is rated important with a CVSS 7.3 score for SCOM 2019, 2022 and 2025 systems.
Microsoft rates the chances of exploitation as "less likely" due to the complex requirements for a successful exploit, such as adding a malicious file to the target environment and needing user interaction. After an effective breach, the attacker could take over the system to access sensitive information, change settings and launch more attacks.
CVE-2024-49063 is a remote-code execution vulnerability rated important in Muzic, a music-related AI research project on GitHub. Muzic uses deep learning and AI for music analysis and generation. If an attacker exploits the vulnerability, they can run malicious code on the system.
"Your development team has to remediate by taking the latest version from the project and update the environment," said Goettl.
He said this vulnerability shows how enterprises must understand how AI and machine learning projects expand the organization's attack surface. As these technologies grow more pervasive, the IT and security teams need to stay ahead of the curve and watch for vulnerabilities in third-party and research initiatives that may invite security risks to their organizations.
Goettl said in the coming year AI will be used increasingly by security researchers, which could cause a perfect storm of a more frenetic disclosure rate that outstrips the ability of vendors to produce patches quickly -- which will draw unwanted attention from threat actors. The result is organizations will need to find ways to deploy patches as soon as they are available.
"Both sides will find new exploits faster, so you can expect the zero-day count is going to increase and the urgency on zero-day response is likewise going to increase," he said.
Testing for Windows 11 hotpatching arrives
One issue with regular patching is it typically interrupts the user, forcing them to stop working and restart the machine. Microsoft has touted its hotpatching capabilities in its latest Windows Server versions and last month announced it is extending this feature to Windows 11.
In November, Microsoft unveiled an early access program for hotpatch updates for Windows 11 Enterprise version 24H2. This feature reduces the number of reboots required when applying security updates.
The Windows 11 hotpatch quarterly update model would only require a reboot after applying the first month's cumulative update with hotpatch updates for the other two months that would not require a restart.
Customers will need a subscription, such as Windows Enterprise E3/E5 or Windows 365 Enterprise and patch management from Intune and Windows Autopatch, to use this hotpatch feature.
Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.
