Microsoft holds last Patch Tuesday of the year with 72 gifts for admins

Patch Tuesday Microsoft hasn't added too much coal to the stocking this Patch Tuesday, with just 72 fixes, only one of which scored more than nine on the CVSS threat ranking scale.

Of more immediate concern is one vulnerability in the list that is actively being exploited - CVE-2024-49138 - which is allowing escalation of privilege attacks on the Windows Common Log File System Driver that can lead to full system access. Windows 10 and 11 systems are vulnerable, as are Server 2019 and later builds.

The highest-rated vuln in this month's goodie bag is CVE-2024-49112, which gets a CVSS score of 9.8, but Microsoft notes it's difficult to exploit it. The problem lies with Windows Lightweight Directory Access Protocol (LDAP), which would allow an attacker to remotely execute code on Windows 10 systems and every server OS since 2008 using custom LDAP calls.

Microsoft does suggest a workaround for anyone unwilling or unable to patch. If domain controllers are set to block inbound RPCs from untrusted networks, or shut off from the internet altogether, then the flaw is unexploitable. The issue was spotted by Yuki Chen, one of Microsoft's top private flaw finders.

Of the six fixes rated as most likely to be exploited, CVE-2024-49093 is the most serious, with the flaw in Windows Resilient File System earning a CVSS score of 8.8 and leaving operators vulnerable to malicious low-privilege AppContainers. Once on the system, the attacker could upgrade their privileges and execute code.

Two of the other likely exploitation targets are the elevation of privileges flaws in Windows Common Log File System Driver - CVE-2024-49088 and CVE-2024-49090. Neither require any user interaction and could allow a rogue operator to grasp system privileges, as does CVE-2024-49114 in Windows Cloud Files Mini Filter Driver.

• Fully patched Cleo products under renewed 'zero-day-ish' mass attack
• PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files
• Microsoft says premature patch could make Windows Recall forget how to work
• Microsoft patches the patch that broke Exchange Server

The last two on the most likely to get hit list are code execution flaws. CVE-2024-49070 is a Sharepoint issue, but the attacker would need local access to make it work. But CVE-2024-49122 in Microsoft Message Queuing can allow remote code execution if the intruder gets a malicious packet to an MSMQ server.

Adobe the grinch

After Microsoft's relatively mild patch unboxing, Adobe dropped a total of 167 flaw fixes today. Hopefully its heart will grow three sizes next month.

If you're using Adobe Experience Manager then there are a whopping 91 flaws to fix. Only one is critical but all should be patched - it looks like Adobe has been saving some of these up for a rainy day.

Adobe Connect also got a big update - 22 flaws were fixed and six of them are rated critical. They are mostly cross-site scripting issues, but there's a nasty CVSS 9.3 improper access control issue that should be corrected.

Things are better for Acrobat; only six flaws fixed, none of which have a CVSS score higher than seven. Adobe Animate gets an unlucky 13, all with a CVSS score of 7.8 oddly enough. InDesign and Substance 3D Modeler each have nine issues to fix, but none exceed a CVSS score of 7.8.

Of the four flaws in Adobe Media Encoder, three allow arbitrary code execution (plus three more for Adobe Substance 3D Sampler) and there's a denial-of-service issue to be fixed in the former too. Illustrator has a couple of critical issues to patch, as does Adobe Substance 3D Painter. ®