December Patch Tuesday arrives bearing 71 presents – Sophos Information

Microsoft on Tuesday launched 71 patches touching 10 product households. Seventeen of the addressed points, all affecting Home windows, are thought-about by Microsoft to be of Vital severity and all have a CVSS base rating of 8.1 or larger. Ten of those contain Distant Desktop Providers. At patch time, one of many points addressed (CVE-2024-49138, an Necessary-severity Home windows Widespread Log File system driver subject) is understood to be underneath exploit within the wild, with 6 further CVEs extra more likely to be exploited within the subsequent 30 days by the corporate’s estimation. 5 of this month’s points are amenable to detection by Sophos protections, and we embrace info on these in a desk under.

Along with these patches, the discharge contains advisory info on two Edge CVEs (patched final week), a Protection-in-Depth replace for a selected model of Microsoft Venture, and data on six bulletins launched by Adobe this week. We’re as at all times together with on the finish of this submit further appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

Lastly, this month we’re including a brand new appendix that breaks out every month’s Home windows Server patches by affected model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity, as every reader’s state of affairs — particularly because it issues merchandise out of mainstream help — will differ.

• Complete CVEs: 71
• Publicly disclosed: 1
• Exploit detected: 1
• Severity
  • Vital: 17
  • Necessary: 54
• Influence
  • Distant Code Execution: 31
  • Elevation of Privilege: 27
  • Data Disclosure: 7
  • Denial of Service: 5
  • Spoofing: 1
• CVSS base rating 9.0 or better: 1
• CVSS rating 8.0 or better: 27

Determine 1: December’s CVEs embrace no spoofing, denial of service, or safety function bypass points, however there are many Vital-severity RCEs to maintain system directors busy

Merchandise

• Home windows: 59
• Workplace: 5
• SharePoint: 5
• 365 Apps: 4
• Entry: 1
• Defender: 1
• Excel: 1
• Muzic: 1
• SCOM: 1
• Phrase: 1

As is our customized for this listing, CVEs that apply to a couple of product household are counted as soon as for every household they have an effect on.

Determine 2: Six of the ten product households lined on this month’s updates have only one patch apiece. Muzic is a music-generation venture on Github (https://github.com/microsoft/muzic) initially developed by a staff from Microsoft Analysis Asia

Notable December updates

Along with the problems mentioned above, a lot of particular gadgets benefit consideration.

CVE-2024-49112 — Home windows Light-weight Listing Entry Protocol (LDAP) Distant Code Execution Vulnerability

The one CVE this month with a CVSS base rating over 9.0, this Vital-severity RCE weighs in at 9.8/10 and impacts not solely all supported variations of Home windows 10 and 11, however all variations of Server stretching again to 2008. Complexity is low (it requires a maliciously crafted set of LDAP calls), it requires neither privileges nor person interplay, and the attacker capable of efficiently exploit the bug good points the flexibility to execute arbitrary code inside the context of the LDAP service. For directors unable to prioritize this patch for no matter purpose, Microsoft advises them to make sure that area controllers are usually not configured to entry the web, and that inbound RPC from untrusted networks is disallowed.

CVE-2024-49138 — Home windows Widespread Log File System Driver Elevation of Privilege Vulnerability

The one December CVE that’s recognized to be underneath energetic exploit within the wild, this Necessary-severity elevation of privilege subject likewise impacts all supported consumer and server variations of Home windows. A profitable attacker would achieve system privileges.

CVE-2024-49117 – Home windows Hyper-V Distant Code Execution Vulnerability

An attacker efficiently using this Vital-severity RCE might doubtlessly execute a cross-VM assault, leaping out of the initially compromised machine to compromise others.

CVE-2024-49114 — Home windows Cloud Information Mini Filter Driver Elevation of Privilege Vulnerability

This Necessary-severity subject is an interesting instance of what simply is likely to be a brand new class of vulnerability: False File Immutability, by which sure assumptions constructed into sure Home windows componentry might result in untrustworthy information, dangerous system behaviors,  or different vulnerabilities.  However, Microsoft categorizes this CVE as an Elevation of Privilege subject, another more likely to be exploited inside the subsequent 30 days.

12 CVEs – RDP points
As lined in our Lively Adversary technical experiences, RDP continues to be the Microsoft part most frequently abused by attackers. Each client-side and server-side installations are in for it this month, with 10 of those CVEs classed as Vital-severity by Microsoft.

Determine 3: And as 2024 concludes, Distant Code Execution vulnerabilities retain their standing as the commonest bug species to be squashed, retaining the title seized from Elevation of Privilege on the finish of 2023

Although it began off with three comparatively gentle months, 2024 ends with 1015 CVEs addressed by the Patch Tuesday course of – the very best annual rely since 2020’s complete of 1245 patches. 2024 additionally included the 2 single highest one-month patch counts, in April (147) and July (138). For these curious, December 2023 had the bottom rely of the previous 5 years, with 33 patches.

Determine 4: If it felt like 2020 was a loopy 12 months for Microsoft patches, you’re not fallacious. Although 2024 had a number of banner months, 2020 was total the heaviest patch load in 4 years for many directors

Sophos protections

As you possibly can each month, if you happen to don’t need to wait to your system to tug down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal to your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

This can be a listing of December patches sorted by impression, then sub-sorted by severity. Every listing is additional organized by CVE.

Distant Code Execution (31 CVEs)

Elevation of Privilege (27 CVEs)

Data Disclosure (7 CVEs)

Denial of Service (5 CVEs)

Spoofing (1 CVE)

Appendix B: Exploitability

This can be a listing of the December CVEs judged by Microsoft to be both underneath exploitation within the wild or extra more likely to be exploited within the wild inside the first 30 days post-release. The listing is organized by CVE.

Appendix C: Merchandise Affected

This can be a listing of December’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which are shared amongst a number of product households are listed a number of occasions, as soon as for every product household. Points affecting Home windows Server are additional sorted in Appendix E.

Home windows (59 CVEs)

Workplace (5 CVEs)

SharePoint (5 CVEs)

365 (4 CVEs)

Entry (1 CVE)

Defender (1 CVE)

Excel (1 CVE)

Muzic (1 CVE)

SCOM (1 CVE)

Phrase (1 CVE)

Appendix D: Advisories and Different Merchandise

This can be a listing of advisories and data on different related CVEs within the December launch.

Microsoft info:

Adobe Reader advisories:

Appendix E: Affected Home windows Server variations

This can be a desk of CVEs within the December launch affecting 9 Home windows Server variations — 2008 by 2025. The desk differentiates amongst main variations of the platform however doesn’t go into deeper element (eg., Server Core). Vital-severity points are marked in purple; an “x” signifies that the CVE doesn’t apply to that model. Directors are inspired to make use of this appendix as a place to begin to determine their particular publicity as every reader’s state of affairs, particularly because it issues merchandise out of mainstream help, will differ.