This year, cybersecurity professionals must be on Santa’s nice list, or, at the very least, Microsoft’s. While not the smallest December Patch Tuesday we’ve ever had, there are only 72 CVEs this month, with only one that has been publicly disclosed and exploited and one that scores above a CVSS 9.0.
The only publicly disclosed and exploited vulnerability in this patch drop is a vulnerability in Windows Common Log File System (CLFS), CVE-2024-49138, which is unsurprising as it has seen a total of 8 vulnerabilities patched this year. That is, however, an improvement for Microsoft, who patched 12 CLFS vulnerabilities in 2022 and 10 CLFS vulnerabilities in 2023.
This vulnerability, like most CLFS vulnerabilities, is an elevation of privilege that could allow a successful attacker to gain SYSTEM level permissions.
There’s only one vulnerability greater than a CVSS 9.0 this month and, more specifically, it is a 9.8. The vulnerability, CVE-2024-49112, targets LDAP and could allow for remote, unauthenticated code execution, which is why it warrants such a high CVSS score.
Microsoft has provided mitigations that are really just proper security hygiene but serve as a good reminder for enterprises. Domain controllers should either not access the internet or not allow inbound RPC from untrusted networks. If you are following the DISA STIG for Active Directory Domains, you should already have Finding V-243475 implemented, which states, “Domain controllers must be blocked from Internet access.”
As we wrap up the year, we can take a look back at the numbers. This year, Microsoft resolved 1088 vulnerabilities, which is surprisingly similar to the 1063 vulnerabilities resolved in 2023 and the 1119 vulnerabilities resolved in 2022. If nothing else, we can say that Microsoft is consistent. While it would be nice to see the number of vulnerabilities each year decreasing, at least consistency lets us know what to expect. Since Microsoft has signed CISA’s Secure by Design pledge, perhaps we’ll see these numbers drop in the future.
Click here for more Patch Tuesday analysis.
Fortra® Security & Trust Center
Security advisories. Emerging threats. New discoveries from our team of security researchers. Timely notifications.