Microsoft’s December Patch Tuesday update, the last one of 2024, addresses a massive number of vulnerabilities, including 71 newly identified flaws across various products.
As part of the regular December Patch Tuesday, Microsoft has responded to a number of critical security issues, several of which have been actively exploited in the wild. Notable among the vulnerabilities patched this month is CVE-2024-49138, a zero-day flaw in the Windows Common Log File System (CLFS) driver
2024 has been a milestone year for Microsoft in terms of the number of vulnerabilities addressed. With a total of 1,009 Common Vulnerabilities and Exposures (CVEs) patched throughout the year, this marks the maximum number of vulnerabilities addressed. Although Microsoft has not yet surpassed its record of 1,245 CVEs patched in 2020, 2024 is only the second year in Patch Tuesday history where the company has exceeded the 1,000 mark.
Overview of Microsoft Patch Tuesday December 2024
The latest data highlights that nearly 40% of the vulnerabilities fixed in 2024 were remote code execution (RCE) flaws, while 29% were elevation of privilege vulnerabilities, and 10% were denial of service issues. According to the advisory, a majority of these vulnerabilities were rated as “important,” with a smaller portion categorized as “critical.”
In its December Patch Tuesday update, Microsoft addressed a broad spectrum of vulnerabilities, including 27 elevation of privilege issues, 30 remote code execution flaws, 7 information disclosure vulnerabilities, 5 denial of service bugs, and 1 spoofing vulnerability. Among these, CVE-2024-49138 stands out as the most critical and urgent, particularly due to its exploitation in the wild.
CVE-2024-49138: A Zero-Day Elevation of Privilege Flaw
CVE-2024-49138, an elevation of privilege vulnerability in the Windows CLFS driver, is the most notable issue addressed this month. This flaw has been actively exploited as a zero-day, meaning attackers were leveraging it before Microsoft issued a fix. The vulnerability is particularly malicious due to its potential for granting SYSTEM-level privileges to an attacker. The CLFS driver is a critical component of the Windows operating system, used for general-purpose logging by both user-mode and kernel-mode software.
The flaw is classified as a heap-based buffer overflow (CWE-122), a common type of vulnerability that can lead to crashes, denial of service, or even remote code execution. CVE-2024-49138 is the ninth CLFS-related vulnerability patched this year and the first to be actively exploited in the wild. Microsoft has rated this issue as “important,” with a CVSSv3 score of 7.8.
In his analysis of this vulnerability, Satnam Narang, Senior Staff Research Engineer at Tenable, remarked, “In its final Patch Tuesday of 2024, Microsoft addressed CVE-2024-49138, an elevation of privilege zero-day in the Windows CLFS Driver, which is the lone flaw in this month’s release with the ‘exploited’ label.” Narang noted that ransomware operators have been particularly focused on exploiting CLFS vulnerabilities in recent years. These vulnerabilities enable them to move laterally across networks, stealing data, encrypting files, and extorting victims.
CVE-2024-49070: A Remote Code Execution Vulnerability in Microsoft SharePoint
Another issue patched this month is CVE-2024-49070, a remote code execution vulnerability affecting Microsoft SharePoint. This vulnerability has been assigned a CVSSv3 score of 7.4 and is rated as “important.” Successful exploitation of this vulnerability requires high complexity, as the attacker needs to prepare the target to ensure exploit reliability. Despite this, Microsoft assessed the exploitability of this flaw as “More Likely.”
Additionally, Microsoft addressed other vulnerabilities in SharePoint, including two information disclosure flaws (CVE-2024-49062, CVE-2024-49064) and another elevation of privilege issue (CVE-2024-49068).
CVE-2024-49118 and CVE-2024-49122: Critical RCE Vulnerabilities in Microsoft Message Queuing
Two other critical vulnerabilities patched in December’s release affect Microsoft Message Queuing (MSMQ). Both CVE-2024-49118 and CVE-2024-49122 are remote code execution flaws with a CVSSv3 score of 8.1, rated as “critical.” These flaws require an attacker to exploit a race condition, but the exploitation is not always easy to achieve, as it depends on specific operations that occur infrequently. These vulnerabilities bring the total number of RCE flaws affecting MSMQ to six, with previous patches issued earlier in the year for related vulnerabilities.
Several critical vulnerabilities were also addressed in Windows Remote Desktop Services, including CVE-2024-49106, CVE-2024-49108, and others. These flaws are remote code execution vulnerabilities that could allow an attacker to exploit a race condition and create a use-after-free scenario, leading to arbitrary code execution.
The Bigger Picture: Ransomware and Exploits in 2024
In 2024, Microsoft has patched a total of 22 zero-day vulnerabilities, many of which have been actively exploited by threat actors. Narang highlighted that nearly 40% of these were remote code execution flaws, denoting the growing risks of RCE vulnerabilities. Ransomware operators, in particular, have developed a penchant for exploiting elevation of privilege flaws, such as those in the CLFS driver, to escalate their privileges and execute their attacks more effectively.
The December 2024 Patch Tuesday marks an important update from Microsoft, addressing a range of security vulnerabilities that could have serious implications for users and organizations alike. From zero-day exploits like CVE-2024-49138 to critical vulnerabilities in Microsoft SharePoint and Remote Desktop Services, this month’s patching efforts highlights the ongoing efforts by cybersecurity professionals.
