Microsoft has fixed over 70 CVEs in its final Patch Tuesday change of the year, and defenders could per chance additionally peaceable prioritise a 0-day in the Overall Log File Procedure Driver, and one other impactful flaw in the Light-weight Listing Get entry to Protocol
Microsoft has issued fixes for 71 Overall Vulnerabilities and Exposures (CVEs) to brand the final Patch Tuesday of 2025, with a solitary zero-day that lets in privilege elevation during the Windows Overall Log File Procedure Driver stealing the limelight.
Assigned designation CVE-2024-49138 and credited to CrowdStrike’s Progressed Analysis Team, the flaw stems from a heap-based entirely buffer overflow wherein depraved bounds checking lets an attacker overwrite memory in the heap.
It is believed to be quite trivial to spend by an attacker to carry out arbitrary code and construct map-level privileges that would be extinct to carry out deeper and extra impactful attacks, similar to ransomware. Microsoft said it had seen CVE-2024-49138 being exploited in the wild.
“The CLFS driver is a core Windows part extinct by applications to write transaction logs,” said Mike Walters, president and co-founding father of patch administration specialist Action1.
“This vulnerability enables unauthorised privilege elevation by manipulating the motive force’s memory administration, culminating in map-level access – the very excellent privilege in Windows,” he said. “Attackers gaining map privileges can place actions similar to disabling security protections, exfiltrating sensitive files, or putting in persistent backdoors.”
Walters explained that any Windows map dating aid to 2008 that makes spend of the unheard of CLFS part is weak to this flaw, making it a doable headache across venture environments if no longer addressed like a flash.
“The vulnerability is confirmed to be exploited in the wild and a few files regarding the vulnerability has been publicly disclosed, but that disclosure could per chance additionally no longer encompass code samples,” said Ivanti vice-president of security merchandise Chris Goettl. “The CVE is rated Valuable by Microsoft and has a CVSSv3.1 ranking of 7.8. Bother-based entirely prioritisation would fee this vulnerability as Vital, which makes the Windows OS change this month your high priority.”
Vital concerns
In a year that saw Microsoft push over 1,000 bug fixes across 12 months, the 2d very most realistic volume ever after 2020, as Dustin Childs of the Zero Day Initiative seen, December 2024 will stand out for a notably excessive volume of Vital vulnerabilities, 16 in total and all, without exception, main to distant code execution (RCE).
A total of 9 of these vulnerabilities maintain an affect on Windows A ways-off Desktop Services, while three are to be show in the Windows Light-weight Listing Get entry to Protocol (LDAP), two in Windows Message Queuing (MSMQ) and one apiece in Windows Local Security Authority Subsystem Provider (LSASS) and Windows Hyper-V.
Of these, it is CVE-2024-49112 in Windows LDAP that per chance warrants the closest attention, carrying an inaccurate CVSS ranking of 9.8 and affecting all versions of Windows since Windows 7 and Server 2008 R2. Left unaddressed, it lets in an unauthenticated attacker to waste RCE on the underlying server.
LDAP is frequently viewed on servers performing as Domain Controllers in a Windows community and the characteristic have to be uncovered to diverse servers, and customers, in an ambiance in explain for the domain to characteristic.
Low attack complexity
Immersive Labs main security engineer Hold Reeves explained: “Microsoft … has indicated that the attack complexity is low and authentication is no longer required. Moreover, they repeat that publicity of this provider either during the ranking or to untrusted networks have to be stopped straight.
“An attacker can construct a series of crafted calls to the LDAP provider and construct access for the length of the context of that provider, which shall be operating with Procedure privileges,” said Reeves.
“As a result of the Domain Controller space of the machine myth, it is assessed this will per chance additionally straight enable the attacker to … procure access to all credential hashes for the length of the domain. It is in overall assessed that an attacker will simplest have to construct low privileged access to a Windows host internal a internet page or a foothold for the length of the community in explain to spend this provider – gaining total aid a watch on over the domain.”
Reeves told Laptop Weekly that risk actors, in particular ransomware gangs, shall be keenly attempting to procure exploits for this flaw in the coming days because taking total aid a watch on of a Domain Controller in an Stuffed with life Listing ambiance can procure them access to every Windows machine on that domain.
“Environments which construct spend of Windows networks the spend of Domain Controllers could per chance additionally peaceable patch this vulnerability as a topic of urgency and be clear Domain Controllers are actively monitored for indicators of exploitation,” he warned.
And in a roundabout draw
Within the waste, one diminutive-regarded bug stands out this month, a flaw in Microsoft Muzic, tracked as CVE-2024-49063.
“The Microsoft Muzic AI mission is an captivating one,” seen Ivanti’s Goettl. “CVE-2024-49063 is a distant code execution vulnerability in Microsoft Muzic. To solve this, CVE developers would have to exhaust the most up-to-date construct from GitHub to change their implementation.”
The vulnerability stems from deserialisation of untrusted files, main to distant code execution if an attacker can manufacture a malicious payload to carry out.
For these unheard of with the mission, Microsoft Muzic is an ongoing be taught mission idea and generating music the spend of man made intelligence (AI). One of the crucial most mission’s ingredients encompass automated lyric transcription, song-writing and lyric know-how, accompaniment know-how and singing verbalize synthesis.
Be taught extra on Utility security and coding necessities
![]()
Microsoft fixes 89 CVEs on penultimate Patch Tuesday of 2024
By: Alex Scroxton
![]()
Five zero-days to be fixed on October Patch Tuesday
By: Alex Scroxton
![]()
Windows spoofing flaw exploited in earlier zero-day attacks
By: Hold Wright
![]()
Microsoft: Zero-day vulnerability rolled aid old patches
By: Arielle Waldman
