Microsoft issues critical December 2024 security update to address actively exploited zero-day vulnerability

Microsoft has released its final security patch of 2024, addressing a critical zero-day vulnerability (CVE-2024-49138) that attackers are actively exploiting in the wild. This significant security update, part of December’s Patch Tuesday release, fixes 71 vulnerabilities, including 16 rated as critical.

Critical zero-day details

The actively exploited vulnerability exists in the Windows Common Log File System (CLFS) Driver, allowing attackers to elevate their privileges to SYSTEM level through a heap-based buffer overflow. This high-severity flaw poses a particular threat as it enables attackers to gain the highest level of system access, potentially facilitating ransomware attacks and other serious security breaches.

Severity and impact

The December 2024 security update addresses:

1. 30 Remote Code Execution vulnerabilities.
2. 27 Elevation of Privilege flaws.
3. 7 Information Disclosure issues.
4. 5 Denial of Service vulnerabilities.
5. 1 Spoofing vulnerability.

Additional critical vulnerabilities

Among the most severe issues patched is CVE-2024-49112, a Windows Lightweight Directory Access Protocol (LDAP) vulnerability with a CVSS score of 9.8. This flaw allows unauthenticated attackers to execute malicious code remotely by sending specially crafted LDAP calls. Microsoft has recommended that organizations either disconnect Domain Controllers from the internet or block inbound RPC connections from untrusted networks as a temporary mitigation measure.

Enterprise impact

This patch release represents the largest number of vulnerabilities addressed in a December update since 2017, bringing Microsoft’s total fixed vulnerabilities for 2024 to 1,020. The comprehensive nature of this update underscores the critical importance of prompt patching, particularly for enterprise environments where these vulnerabilities could be exploited for ransomware attacks or targeted phishing campaigns.

Immediate action required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-49138 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch the vulnerability by December 31, 2024. Security experts strongly recommend that all Windows users and administrators implement these security updates immediately to protect against potential attacks.

Looking forward

As Microsoft concludes its 2024 security updates, this final patch Tuesday highlights the ongoing challenges in maintaining system security. The significant number of critical vulnerabilities addressed this month serves as a reminder of the importance of regular system updates and security maintenance as we move into 2025.

Organizations and individual users should prioritize the implementation of these security updates to protect against potential exploitation of these vulnerabilities. The active exploitation of the zero-day vulnerability makes this update particularly urgent for all Windows users.