Microsoft Security Update Summary (December 10, 2024)

Posted on 2024-12-10 by guenni

Update[German]On December 10, 2024, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates address 70 vulnerabilities (CVEs), including 16 critical vulnerabilities, one of which is classified as 0-day (already exploited). Below is a compact overview of these updates that were released on Patchday.

Advertising

Notes on the updates

A list of updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.

Windows 10/11, Windows Server

All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly Patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to Patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.

Windows Server 2012 R2

Windows Server 2012 /R2 will receive regular security updates until October 2023. After this date, an ESU license will be required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).

Fixed vulnerabilities

Tenable has published this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:

  • CVE-2024-49138, CVE-2024-49090, CVE-2024-49088: Windows Common Log File System Driver Elevation of Privilege vulnerability, all with CVEv3 score 7.8, important; An attacker could exploit this vulnerability to elevate privileges. According to Microsoft, the vulnerability CVE-2024-49138 has been exploited in the wild as a zero-day. At the time of publication of this blog post, no further details on this vulnerability were available.
  • CVE-2024-49070: Microsoft SharePoint Remote Code Execution vulnerability, CVEv3 Score 7.8, important; The Microsoft report points out that the complexity is high and that the attacker must first prepare the target for successful exploitation in order to increase the reliability of an attack. Although no details were given, Microsoft categorized this vulnerability as "exploitation likely". In addition to CVE-2024-49070, Microsoft has patched two information disclosure vulnerabilities (CVE-2024-49062CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.
  • CVE-2024-49118, CVE-2024-49122: Microsoft Message Queuing (MSMQ) Remote Code Execution vulnerability, CVEv3 Score 8.1, critical; According to Microsoft, an attacker must successfully exploit a race condition. Despite this requirement, Microsoft categorized CVE-2024-49122 as "Exploitation More Likely", while CVE-2024-49118 was categorized as "Exploitation Less Likely" because gaining the race condition must occur "during the execution of a specific operation that occurs on the target system at a low frequency". For a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service called "Message Queueing" will run on TCP port 1801.
  • CVE-2024-49106CVE-2024-49108CVE-2024-49115CVE-2024-49116CVE-2024-49119,CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution vulnerability, CVEv3 Score 8.1, critical; These are RCE vulnerabilities that affect Windows Remote Desktop Services. Successful exploitation is complex and requires an attacker to trigger a race condition to create a "use-after-free scenario" that can lead to the execution of arbitrary code. Due to the high complexity of the exploitation, Microsoft classified these vulnerabilities as "Exploitation Less Likely". In addition, Microsoft has fixed theDoS vulnerability CVE-2024-49075  in Remote Desktop Services.

A list of all CVEs discovered can be found on this Microsoft page, excerpts are available at Tenable.

Advertising

Similar articles:
Microsoft Security Update Summary (December 10, 2024)
Patchday: Windows 10/Server Updates (December 10, 2024)
Patchday: Windows 11/Server 2022/2025-Updates (December 10, 2024)
Patchday: Windows Server 2012 / R2 (December 10, 2024)
Patchday: Microsoft Office Updates (December 10, 2024)

Advertising
This entry was posted in ios, Office, Security, Software, Update, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).