Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks.
The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common Log File System (CLFS) driver — used by applications to write transaction logs — that could let an authenticated attacker gain “system” level privileges on a vulnerable Windows device.
The security firm Rapid7 notes there have been a series of zero-day elevation of privilege flaws in CLFS over the past few years.
“Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one,” wrote Adam Barnett, lead software engineer at Rapid7. “Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.”
Elevation of privilege vulnerabilities accounted for 29% of the 1,009 security bugs Microsoft has patched so far in 2024, according to a year-end tally by Tenable; nearly 40 percent of those bugs were weaknesses that could let attackers run malicious code on the vulnerable device.
Rob Reeves, principal security engineer at Immersive Labs, called special attention to CVE-2024-49112, a remote code execution flaw in the Lightweight Directory Access Protocol (LDAP) service on every version of Windows since Windows 7. CVE-2024-49112 has been assigned a CVSS (badness) score of 9.8 out of 10.
“LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function,” Reeves said. “Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required.”
Tyler Reguly at the security firm Fortra had a slightly different 2024 patch tally for Microsoft, at 1,088 vulnerabilities, which he said was surprisingly similar to the 1,063 vulnerabilities resolved in 2023 and the 1,119 vulnerabilities resolved in 2022.
“If nothing else, we can say that Microsoft is consistent,” Reguly said. “While it would be nice to see the number of vulnerabilities each year decreasing, at least consistency lets us know what to expect.”
If you’re a Windows end user and your system is not set up to automatically install updates, please take a minute this week to run Windows Update, preferably after backing up your system and/or important data.
System admins should keep an eye on AskWoody.com, which usually has the details if any of the Patch Tuesday fixes are causing problems. In the meantime, if you run into any problems applying this month’s fixes, please drop a note about in the comments below.
The ‘Trump-As-President-Again’ flaw hasn’t been addressed yet. Microsoft has determined the citizenship of the US needs to wake up about the negatives of a conman as president.
Why do you people insist on using an IT Security blog to spew your divisive partisan vitriol?
P*ss off back to Twitter where it belongs and leave the conversation here to grown-ups FFS!
“For my entire career I have followed one simple principal: Just tell the American people the truth.” –Joe Biden
On whether Joe Biden had ruled out a pardon for his son: “Yes.” –Joe Biden 6/6/24
“I will not pardon [Hunter].” 6/13/24
On whether Joe Biden would accept a jury’s outcome regarding Hunter, no matter what it is: “Yes.” –Joe Biden
Why do you people insist on using an IT Security blog to spew your divisive partisan vitriol?
P*ss off back to Twitter where it belongs and leave the conversation here to grown-ups FFS!
Agree . Just pushing back on the dlpshlt original poster. Furthermore, I don’t know why the linux fans have to drop in just to trash MS and contribute nothing relevant to the topic. OK, fine, we get it; you don’t like MS. Why clutter up the “Patch Tuesday” comments with inane whining? There must be a linux or I hate MS forum somewhere.
I agree, fanbois are gonna fanboi, regardless of OS of choice. As a regular user of all 3 major environments, I usually refrain from engaging and generally ignore and move on, unless it is obvious misinformation that requires addressing, as they all have their pros and cons.
Political discourse however, frustrates the hell out of me. I am not a US citizen, but Brians publishing has a global audience and some of his commentators are so insular that it doesn’t occur to them that the rest of the world doesn’t give a sh*t, so why broadcast it in such an inappropriate location?
Ok but your computer will hit maxint before you can list all of Trump’s, er, misstatements of fact…
Cool story and tell it to people who care. Why are you so butt hurt about something that has already happened and you have no control. Grow up child.
I updated my Windows 11 PC yesterday and now the brightness settings are completely missing in settings. Bah.
This might help: https://technority.pages.dev/posts/how-to-fix-brightness-control-not-working-on-windows-11-4-methods-/
After yesterday’s Windows 11 PC update, I can no longer access the brightness controls in the settings menu. Oh no.
I really enjoy Mr. Kreb’s in depth and well written postings. Mr. Krebs writes in such a way that non-techies can follow along. I’ve also enjoyed the comments until now. Please, leave your politics on your side of the screen, not here! Post on X or BlueSky, but, please not here.