Microsoft patches worrying zero-day along with 71 other flaws

1 week ago 4
A building at the Microsoft Headquarters campus in Redmond, Washington (2014).
(Image credit: Stephen Brashear/Getty Images)

  • Microsoft releases final Patch Tuesday update of 2024
  • It addresses 71 flaws, including an actively exploited zero-day
  • This type of flaw is often used in ransomware attacks, experts claim

Microsoft has released its December Patch Tuesday cumulative update, which includes a fix for a worrying zero-day vulnerability that was being actively exploited in the wild.

The bug is described as a heap-based buffer overflow vulnerability in the Windows Common Log File System driver. It is tracked as CVE-2024-49138, and can apparently be used to fully take over vulnerable systems.

US agencies have sounded the alarm over this flaw, too. The Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, describing it as a bug that “poses significant risks”, and urging users to apply the fix immediately.

Abused in ransomware

There is evidence that hackers are exploiting this CVE in their attacks, but we don’t know how, so whether or not it’s used in ransomware is just speculation at this point.

While undoubtedly dangerous, this heap-based buffer overflow bug is not the only one patched this time around. Microsoft fixed a total of 71 vulnerabilities, including 16 deemed critical, as they allow threat actors to remotely run arbitrary code.

In total, Microsoft fixed 27 elevation of privilege flaws, 30 RCE flaws, 7 information disclosure bugs, 5 denial of service bugs, and one spoofing vulnerability. Aside from these flaws, Microsoft also patched two Edge bugs, on December 5 and 6, BleepingComputer reports. The full list of patched flaws can be found here.

Via BleepingComputer

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article