Microsoft Resolves 72 Security Flaws, Including an Actively Exploited CLFS Vulnerability

December 11, 2024

Microsoft's final Patch Tuesday updates for 2024 included fixes for 72 security flaws across its software range, one of which is currently being exploited. The vulnerabilities included 17 Critical, 54 Important, and one Moderate. The company also addressed 13 vulnerabilities in its Chromium-based Edge browser since last month's security update. In total, Microsoft has resolved 1088 vulnerabilities in 2024, according to Fortra.

The actively exploited vulnerability is CVE-2024-49138, a privilege escalation flaw in the Windows Common Log File System (CLFS) Driver. Microsoft stated, 'An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.' This flaw was discovered and reported by cybersecurity company CrowdStrike. This is the fifth actively exploited CLFS privilege escalation flaw since 2022, following CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252. Ransomware operators have shown a preference for exploiting CLFS elevation of privilege flaws in recent years.

Microsoft is aware of the attractiveness of CLFS as an attack pathway and is working to add a new verification step for parsing log files. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply necessary remediations by December 31, 2024.

The most severe bug in this month's release is a remote code execution flaw affecting Windows Lightweight Directory Access Protocol (LDAP), tracked as CVE-2024-49112. According to Microsoft, 'An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service.' Other notable remote code execution flaws impact Windows Hyper-V (CVE-2024-49117), Remote Desktop Client (CVE-2024-49105), and Microsoft Muzic (CVE-2024-49063).

Amid these developments, 0patch released unofficial fixes for a Windows zero-day vulnerability that allows attackers to capture NT LAN Manager (NTLM) credentials. Microsoft has announced plans to phase out the legacy NTLM authentication protocol in favor of Kerberos. It has also enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. Similar security improvements have been made to Azure Directory Certificate Services (AD CS) with the release of Windows Server 2025, which also deprecates NTLM v2 and removes support for NTLM v1. These changes apply to Windows 11 24H2 as well.

Related News

• Ransomware Gangs Actively Exploiting VMware ESXi Auth Bypass Vulnerability: Microsoft Warns
• Multiple Zero-Day Vulnerabilities Exploited in Windows CLFS Driver
• Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
• Microsoft Patches Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
• CISA Adds Four Security Vulnerabilities to Known Exploited List

Latest News

• U.S. Accuses Chinese National of Hacking 81,000 Sophos Firewalls Using Zero-Day Exploit
• Termite Ransomware Group Suspected Behind Zero-Day Exploits in Cleo Software
• High-Severity Bug in WPForms Plugin Exposes Millions of WordPress Sites to Stripe Refunds
• Microsoft NTLM Zero-Day Vulnerability Unresolved Until April
• Earth Minotaur Threat Group Targets Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor