December Patch Tuesday arrives bearing 71 gifts – Sophos News

Microsoft on Tuesday launched 71 patches touching 10 product households. Seventeen of the addressed points, all affecting Home windows, are thought of by Microsoft to be of Crucial severity and all have a CVSS base rating of 8.1 or larger. Ten of those contain Distant Desktop Companies. At patch time, one of many points addressed (CVE-2024-49138, an Vital-severity Home windows Widespread Log File system driver situation) is understood to be underneath exploit within the wild, with 6 further CVEs extra prone to be exploited within the subsequent 30 days by the corporate’s estimation. 5 of this month’s points are amenable to detection by Sophos protections, and we embrace data on these in a desk under.

Along with these patches, the discharge consists of advisory data on two Edge CVEs (patched final week), a Protection-in-Depth replace for a selected model of Microsoft Undertaking, and knowledge on six bulletins launched by Adobe this week. We’re as all the time together with on the finish of this publish further appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

Lastly, this month we’re including a brand new appendix that breaks out every month’s Home windows Server patches by affected model. Directors are inspired to make use of this appendix as a place to begin to establish their particular publicity, as every reader’s scenario — particularly because it considerations merchandise out of mainstream assist — will differ.

• Complete CVEs: 71
• Publicly disclosed: 1
• Exploit detected: 1
• Severity
  • Crucial: 17
  • Vital: 54
• Affect
  • Distant Code Execution: 31
  • Elevation of Privilege: 27
  • Info Disclosure: 7
  • Denial of Service: 5
  • Spoofing: 1
• CVSS base rating 9.0 or better: 1
• CVSS rating 8.0 or better: 27

Determine 1: December’s CVEs embrace no spoofing, denial of service, or safety function bypass points, however there are many Crucial-severity RCEs to maintain system directors busy

Merchandise

• Home windows: 59
• Workplace: 5
• SharePoint: 5
• 365 Apps: 4
• Entry: 1
• Defender: 1
• Excel: 1
• Muzic: 1
• SCOM: 1
• Phrase: 1

As is our customized for this listing, CVEs that apply to multiple product household are counted as soon as for every household they have an effect on.

Determine 2: Six of the ten product households coated on this month’s updates have only one patch apiece. Muzic is a music-generation challenge on Github (https://github.com/microsoft/muzic) initially developed by a staff from Microsoft Analysis Asia

Notable December updates

Along with the problems mentioned above, various particular gadgets advantage consideration.

CVE-2024-49112 — Home windows Light-weight Listing Entry Protocol (LDAP) Distant Code Execution Vulnerability

The one CVE this month with a CVSS base rating over 9.0, this Crucial-severity RCE weighs in at 9.8/10 and impacts not solely all supported variations of Home windows 10 and 11, however all variations of Server stretching again to 2008. Complexity is low (it requires a maliciously crafted set of LDAP calls), it requires neither privileges nor consumer interplay, and the attacker in a position to efficiently exploit the bug positive factors the power to execute arbitrary code throughout the context of the LDAP service. For directors unable to prioritize this patch for no matter motive, Microsoft advises them to make sure that area controllers will not be configured to entry the web, and that inbound RPC from untrusted networks is disallowed.

CVE-2024-49138 — Home windows Widespread Log File System Driver Elevation of Privilege Vulnerability

The one December CVE that’s identified to be underneath lively exploit within the wild, this Vital-severity elevation of privilege situation likewise impacts all supported shopper and server variations of Home windows. A profitable attacker would acquire system privileges.

CVE-2024-49117 – Home windows Hyper-V Distant Code Execution Vulnerability

An attacker efficiently using this Crucial-severity RCE might probably execute a cross-VM assault, leaping out of the initially compromised machine to compromise others.

CVE-2024-49114 — Home windows Cloud Information Mini Filter Driver Elevation of Privilege Vulnerability

This Vital-severity situation is a captivating instance of what simply is likely to be a brand new class of vulnerability: False File Immutability, through which sure assumptions constructed into sure Home windows componentry might result in untrustworthy recordsdata, dangerous system behaviors,  or different vulnerabilities.  Nonetheless, Microsoft categorizes this CVE as an Elevation of Privilege situation, yet one more prone to be exploited throughout the subsequent 30 days.

12 CVEs – RDP points
As coated in our Energetic Adversary technical stories, RDP continues to be the Microsoft part most frequently abused by attackers. Each client-side and server-side installations are in for it this month, with 10 of those CVEs classed as Crucial-severity by Microsoft.

Determine 3: And as 2024 concludes, Distant Code Execution vulnerabilities retain their standing as the commonest bug species to be squashed, retaining the title seized from Elevation of Privilege on the finish of 2023

Although it began off with three comparatively mild months, 2024 ends with 1015 CVEs addressed by means of the Patch Tuesday course of – the best annual depend since 2020’s complete of 1245 patches. 2024 additionally included the 2 single highest one-month patch counts, in April (147) and July (138). For these curious, December 2023 had the bottom depend of the previous 5 years, with 33 patches.

Determine 4: If it felt like 2020 was a loopy 12 months for Microsoft patches, you’re not improper. Although 2024 had a number of banner months, 2020 was general the heaviest patch load in 4 years for many directors

Sophos protections

As you’ll be able to each month, if you happen to don’t wish to wait to your system to drag down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace bundle to your particular system’s structure and construct quantity.

Appendix A: Vulnerability Affect and Severity

This can be a listing of December patches sorted by affect, then sub-sorted by severity. Every listing is additional organized by CVE.

Distant Code Execution (31 CVEs)

Elevation of Privilege (27 CVEs)

Info Disclosure (7 CVEs)

Denial of Service (5 CVEs)

Spoofing (1 CVE)

Appendix B: Exploitability

This can be a listing of the December CVEs judged by Microsoft to be both underneath exploitation within the wild or extra prone to be exploited within the wild throughout the first 30 days post-release. The listing is organized by CVE.

Appendix C: Merchandise Affected

This can be a listing of December’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Points affecting Home windows Server are additional sorted in Appendix E.

Home windows (59 CVEs)

Workplace (5 CVEs)

SharePoint (5 CVEs)

365 (4 CVEs)

Entry (1 CVE)

Defender (1 CVE)

Excel (1 CVE)

Muzic (1 CVE)

SCOM (1 CVE)

Phrase (1 CVE)

Appendix D: Advisories and Different Merchandise

This can be a listing of advisories and knowledge on different related CVEs within the December launch.

Microsoft data:

Adobe Reader advisories:

Appendix E: Affected Home windows Server variations

This can be a desk of CVEs within the December launch affecting 9 Home windows Server variations — 2008 by means of 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Crucial-severity points are marked in crimson; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to establish their particular publicity as every reader’s scenario, particularly because it considerations merchandise out of mainstream assist, will differ.