December brought a relatively mild Patch Tuesday, with one vulnerability having been actively exploited. Of all 70 vulnerabilities fixed, 16 were classified as critical.
“This year, cybersecurity professionals must be on Santa’s nice list, or, at the very least, Microsoft’s,” Tyler Reguly, associate director of security R&D at cybersecurity software and services company Fortra, told TechRepublic in an email.
Microsoft patches leaky CLFS
CVE-2024-49138 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver. The driver is a key element of Windows used to write transaction logs. Misuse of the driver, specifically through improper bounds checking, could let an attacker gain SYSTEM privileges. From there, they could steal data or install backdoors.
“Given that CLFS is a standard component across multiple versions of Windows, including server and client installations, the vulnerability has extensive reach, especially in enterprise environments,” Mike Walters, president and co-founder of Action1, said in an email to TechRepublic.
Addressing this vulnerability should be a high priority since it has already been exploited.
Microsoft has released patches for eight other CLFS vulnerabilities this year, according to Reguly.
“That is, however, an improvement for Microsoft, who patched 12 CLFS vulnerabilities in 2022 and 10 CLFS vulnerabilities in 2023,” Reguly wrote.
SEE: The U.S. sanctioned Chinese security firm Sichuan Silence for exploiting a vulnerability in Sophos firewalls used in government infrastructure.
‘Tis the season … for remote code execution
One vulnerability scored higher than nine on the CVSS severity system: CVE-2024-49112, which scored CVSS 9.8. A remote code execution vulnerability could allow an attacker to execute code inside the Windows Lightweight Directory Access Protocol (LDAP) service.
“Windows Server systems acting as domain controllers (DCs) are especially at risk, given their crucial role in managing directory services,” said Walters.
This makes December both a good time to install the patch for this vulnerability and to remember an important factor of security hygiene: Domain controllers shouldn’t have internet access. Reguly pointed out that companies following the Department of Defense’s DISA STIG for Active Directory Domains should already have blocked domain controllers from internet connections.
Action 1 noted that nine of the December vulnerabilities stem related to the potential remote code execution.
“Organizations should avoid exposing RDP services to the global internet and implement robust security controls to mitigate risks,” wrote Walters. “These flaws further prove the dangers of leaving RDP open and unprotected.”
“If nothing else, we can say that Microsoft is consistent,” Reguly added. “While it would be nice to see the number of vulnerabilities each year decreasing, at least consistency lets us know what to expect. Since Microsoft has signed CISA’s Secure by Design pledge, we may see these numbers drop in the future.”
Time to check in on Apple, Google Chrome, and other Patch Tuesday security updates
Many other companies time their monthly releases for the second Tuesday of the month. Adobe provided a list of security updates. Other major patches, as collected by Action 1, include:
- Patches for vulnerabilities in Google Chrome and Mozilla Firefox.
- A security update for over 100 Cisco devices that use the NX-OS data center-focused operating system.
- Fixes for several local privilege escalation vulnerabilities in Linux.
- Patches for two actively exploited zero-day vulnerabilities in Macs with Intel chips.
A complete list of Windows security updates can be found at Microsoft Support.
