In this month’s Patch Tuesday, Microsoft has rolled out a modest update, addressing 72 vulnerabilities. Among these, only one vulnerability has garnered a CVSS score exceeding nine, indicating a higher level of threat. However, the spotlight falls on a particularly concerning flaw, CVE-2024-49138, which is currently being exploited. This vulnerability affects the Windows Common Log File System Driver, allowing for escalation of privilege attacks that could potentially grant full system access. Both Windows 10 and 11, as well as Server 2019 and later versions, are at risk.
The most critical vulnerability this month is CVE-2024-49112, boasting a CVSS score of 9.8. Despite its high rating, Microsoft has indicated that exploiting this flaw is challenging. The issue pertains to the Windows Lightweight Directory Access Protocol (LDAP), which could enable an attacker to execute code remotely on Windows 10 systems and all server operating systems since 2008 through custom LDAP calls.
For those hesitant or unable to apply the patch, Microsoft recommends a workaround: configuring domain controllers to block inbound RPCs from untrusted networks or isolating them from the internet entirely can render this flaw unexploitable. This vulnerability was identified by Yuki Chen, a prominent figure in Microsoft’s private flaw discovery team.
Potential Exploitation Risks
Among the six vulnerabilities deemed most likely to be exploited, CVE-2024-49093 stands out as particularly severe. This flaw, located within the Windows Resilient File System, has a CVSS score of 8.8 and exposes operators to threats from malicious low-privilege AppContainers. Once an attacker gains access, they could elevate their privileges and execute code.
Two additional vulnerabilities related to privilege elevation in the Windows Common Log File System Driver—CVE-2024-49088 and CVE-2024-49090—also pose significant risks. These flaws do not require user interaction, allowing a malicious actor to seize system privileges. Similarly, CVE-2024-49114 in the Windows Cloud Files Mini Filter Driver presents a comparable threat.
The final two vulnerabilities on the exploitation watchlist involve code execution flaws. CVE-2024-49070 pertains to SharePoint, necessitating local access for exploitation. In contrast, CVE-2024-49122 affects Microsoft Message Queuing, permitting remote code execution if an attacker can send a malicious packet to an MSMQ server.
Adobe’s Extensive Fixes
In stark contrast to Microsoft’s relatively restrained update, Adobe has unveiled a substantial patch, addressing a total of 167 vulnerabilities. Users of Adobe Experience Manager will need to tackle an impressive 91 flaws, with one classified as critical; however, all should be patched, suggesting that Adobe may have been holding back some of these fixes.
Adobe Connect also received a significant update, rectifying 22 vulnerabilities, six of which are rated critical. The majority of these issues are related to cross-site scripting, but a particularly severe improper access control flaw, rated at CVSS 9.3, demands immediate attention.
For Adobe Acrobat, the situation appears more manageable, with only six vulnerabilities addressed, none exceeding a CVSS score of seven. Adobe Animate faces a more challenging scenario, with 13 vulnerabilities, all rated at 7.8. Both InDesign and Substance 3D Modeler have nine issues each, with none surpassing a CVSS score of 7.8.
Adobe Media Encoder has four vulnerabilities, three of which allow for arbitrary code execution, alongside a denial-of-service issue that also requires resolution. Illustrator and Adobe Substance 3D Painter are not without their own critical issues, necessitating prompt action from users.
