Microsoft posted more than 70 fixes for vulnerabilities in Windows, Office and Edge on Dec. 10.
The December edition of Patch Tuesday rounds out the year with vulnerability patches for 16 critical flaws and 54 bugs designated as important priorities.
“This is the largest number of CVEs addressed in December since at least 2017, putting the total number of CVEs from the Redmond giant at 1,020 for 2024. That’s second only to 2020’s total of 1,250 fixes,” noted researcher Dustin Childs of the Trend Micro Zero Day Initiative.
“It will be intriguing to see what 2025 brings, especially as Microsoft ramps up its Secure Focus Initiative.”
If there is some solace to be found for administrators, it is that none of the confirmed critical vulnerabilities were found to be under active exploit in the wild.
The lone flaw that was under attack was CVE-2024-49138, which is an elevation of privilege flaw that allows a threat actor to get root level access via a flaw in the Windows Common Log File System.
While the flaw on its own is not particularly threatening, the possibility that it could be chained with other low-level flaws to create a remote takeover exploit poses a danger to organizations.
“Since it is a privilege escalation, it is likely being paired with a code execution bug to take over a system,” said Childs.
“These tactics are often seen in ransomware attacks and in targeted phishing campaigns.”
Also catching the eye of security experts was CVE-2024-49112. This is a bug in the Windows LDAP that could allow an attacker to obtain remote code execution by way of malformed instructions. In practice, this would allow a threat actor to take over a domain controller as part of a larger effort to gain a foothold within a network.
Other critical patches address remote code execution bugs for Hyper-V (CVE-2024-49117) and Remote Desktop Services (CVE-2024-49106).
Administrators and users are advised to test and install the patches as soon as possible.
Adobe releases patches for software
Microsoft is not alone in its Patch Tuesday release. Adobe also uses the second Tuesday of the month to issue security updates for its products. The December edition saw a heaping load of 16 different patch downloads that address a total of 167 various CVE entries.
Things are not as bad as they seem, though. Many of the bugs are minor issues that cannot be accessed by a remote threat actor.
“Most of these are simple cross-site scripting (XSS) bugs,” explained Childs, “but there is one critical code execution bug thrown in for good measure.”
