In December 2024, Adobe unveiled a substantial suite of updates, deploying a total of 16 patches that address an impressive 167 Common Vulnerabilities and Exposures (CVEs) across a variety of its products. This extensive update encompasses Adobe Experience Manager, Acrobat and Reader, Media Encoder, Illustrator, After Effects, Animate, InDesign, Adobe PDFL Software Development Kit (SDK), Connect, Substance 3D Sampler, Photoshop, Substance 3D Modeler, Bridge, Premiere Pro, Substance 3D Painter, and FrameMaker.
Adobe’s Comprehensive Patch Overview
The most significant patch in this release pertains to Adobe Experience Manager, which resolves 91 CVEs. While the majority of these vulnerabilities are categorized as cross-site scripting (XSS) issues, there is a noteworthy critical code execution vulnerability included. The update for Connect is also considerable, addressing 22 CVEs, predominantly XSS as well. Acrobat’s patch introduces several code execution vulnerabilities as well, while the fixes for Animate stand out due to their severity, tackling 13 critical-rated code execution bugs.
Other notable patches include:
- InDesign and Substance 3D Modeler: 9 CVEs each
- Media Encoder: 4 CVEs
- Substance 3D Sampler: 3 CVEs
- Illustrator and Substance 3D Painter: 2 CVEs each
Most of these vulnerabilities could potentially allow code execution, typically triggered by opening a specially crafted file. Fortunately, none of the vulnerabilities addressed by Adobe this month are reported as publicly known or under active attack at the time of release, and the updates have been assigned a deployment priority rating of 3.
Microsoft’s December Patch Release
Meanwhile, Microsoft has also made headlines with its December release, which includes 71 new CVEs affecting Windows and its components, Office, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager. This month’s total, which includes third-party CVEs, reaches 72, marking the largest number of CVEs addressed in December since 2017. With a cumulative total of 1,020 CVEs for 2024, Microsoft is on track to rival its 2020 total of 1,250 fixes.
Among the patches, 16 are rated Critical, 54 Important, and one Moderate. Notably, one of these vulnerabilities is currently listed as publicly known and under active attack:
- CVE-2024-49138 – Windows Common Log File System Driver Elevation of Privilege Vulnerability: This vulnerability is actively being exploited, although details regarding its disclosure remain sparse. It is likely being leveraged in conjunction with a code execution bug, a tactic often seen in ransomware attacks.
- CVE-2024-49112 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability: With a CVSS score of 9.8, this vulnerability allows remote, unauthenticated attackers to exploit affected Domain Controllers via specially crafted LDAP calls. Microsoft’s mitigation advice includes disconnecting Domain Controllers from the internet, a recommendation that may not be practical for many enterprises.
- CVE-2024-49117 – Windows Hyper-V Remote Code Execution Vulnerability: This critical bug permits an authenticated user on a guest VM to execute code on the underlying host OS, raising concerns for those operating Hyper-V environments.
- CVE-2024-49063 – Microsoft/Muzic Remote Code Execution Vulnerability: This vulnerability, affecting an AI music research project known as Muzic, involves deserialization vulnerabilities that could allow an attacker to gain code execution through crafted payloads.
As organizations navigate these updates, the emphasis remains on prompt patching to mitigate potential risks associated with these vulnerabilities.
