Microsoft has released its December 2024 Patch Tuesday, which brings a total of 71 security patches, including a zero-day vulnerability in the Windows Common Log File System (CLFS) Driver. The actively exploited bug, tracked as CVE-2024-49138 (CVSS 7.8), is a moderate-severity flaw that allows attackers to escalate privileges on Windows Server.
Another critical unauthenticated Remote Code Execution (RCE) security vulnerability, CVE-2024-49112 (CVSS 9.8), affects the Windows Lightweight Directory Access Protocol (LDAP). This bug allows attackers to execute arbitrary code on systems running LDAP services.
The December 2024 Patch Tuesday also addresses eight other critical vulnerabilities in Remote Desktop Services, including five Use-After-Free (UAF) bugs and a UAF vulnerability related to sensitive data storage. These issues can be exploited by attackers to gain control of the system or execute arbitrary code.
Additionally, security experts have identified two other vulnerabilities that should be patched immediately: an EoP vulnerability in the Windows Resilient File System (ReFS) and a deserialization vulnerability in Musik, a research project on AI-created music.
Source: https://www.darkreading.com/application-security/microsoft-zero-day-critical-rces-patch-tuesday