Microsoft fixes a zero-day exploited vulnerability and other 71 CVEs in the last Patch Tuesday of the year

Microsoft had the last Patch Tuesday run of the year, with lots of security updates for Windows 10 and Windows 11. They published the list with all critical vulnerabilities that were addressed this month which includes 72 potential exploits. However, for one of them, CVE-2024-49138, Microsoft acknowledges that it was already exploited.

The zero-day exploit granted system privileges to the attacker

The Windows Common Log File System Driver Elevation of Privilege Vulnerability, marked as CVE-2024-49138, can lead to the attacker obtaining system privileges on the vulnerable device.

The vulnerability was detected by the Advanced Research Team with CrowdStrike and it affected Windows 10, Windows 11, Windows Server 2019 and later versions.

According to the CVE’s mitigation notes, the problem arises from a vulnerability of the Heap-based Buffer Overflow. Here is how the exploit works, based on the documentation provided by CWE:

Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.

So, the attacked needed minimum control over the system to execute their code and take over.

The LDAP vulnerability was another serious vulnerability

Another high-rated vulnerability that was addressed within the December Patch Tuesday fix was CVE-2024-49112, with a CVSS score of 9.8. However, this was less likely to be exploited because it required higher complexity technique to be implemented.

This time, the vulnerable component was Windows Lightweight Directory Access Protocol (LDAP), which allowed an attacker to remotely execute code on Windows 10 and Windows Server 2019 and later through custom LDAP calls. Microsoft issued a LDAP patch for Windows 11 last year, which seemed to be effective, but we don’t know why the other OSes were not patched as well at that time.

The conclusion is that you can download the latest security updates now via Windows Update, or Microsoft Update Catalog and you should do that as soon as possible.

If you have been dealing with any of the exploits, let’s talk about them in the comments below.