Zero Day Initiative — The December 2024 Security Update Review

Adobe Patches for December 2024

For December, Adobe released a monstrous 16 patches addressing a whopping 167 CVEs in Adobe Experience Manager, Acrobat and Reader, Media Encoder, Illustrator, After Effects, Animate, InDesign, Adobe PDFL Software Development Kit (SDK), Connect, Substance 3D Sampler, Photoshop, Substance 3D Modeler, Bridge, Premiere Pro, Substance 3D Painter, and FrameMaker. The largest of these by far is the patch for Experience Manager with 91 CVEs. However, most of these are simple cross-site scripting (XSS) bugs, but there is one critical code execution bug thrown in for good measure. The update for Connect is also large with 22 CVEs fixed, and again, most of these are XSS. The patch for Acrobat also contains a couple of code execution bugs. The Animate fixes may be the most severe, as they address 13 Critical-rated code execution bugs.

The fixes for InDesign and Substance 3D Modeler both address nine different bugs. The Media Encoder patch corrects four bugs. The Substance 3D Sampler update fixes three. The Illustrator and Substance 3D Painter fixes each address two bugs. In all of these, the worst of the bugs could allow code execution, usually by opening a specially crafted file. The remaining patches each address only a single CVE.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for December 2024

This month, Microsoft released 71 new CVEs in Windows and Windows Components, Office and Office Components, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager. Two of these bugs came through the ZDI program. With the addition of the third-party CVEs, the entire release tops out at 72 CVEs.

Of the patches released today, 16 are rated Critical, 54 are rated Important, and one is rated Moderate in severity. This is the largest number of CVEs addressed in December since at least 2017, putting the total number of CVEs from the Redmond giant at 1,020 for 2024. That’s second only to 2020’s total of 1,250 fixes. It will be intriguing to see what 2025 brings, especially as Microsoft ramps up its Secure Focus Initiative.

One of these bugs is listed as publicly known and under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerability currently being exploited:

–       CVE-2024-49138 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
This bug is listed as publicly known and under active attack, but Microsoft provides no information regarding where it was disclosed or how widespread the attacks may be. Since it is a privilege escalation, it is likely being paired with a code execution bug to take over a system. These tactics are often seen in ransomware attacks and in targeted phishing campaigns.

–       CVE-2024-49112 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
This is the highest severity bug in this month’s release with a CVSS score of 9.8. It allows remote, unauthenticated attackers to exploit affected Domain Controllers by sending a specially crafted set of LDAP calls. Code execution occurs at the level of the LDAP service, which is elevated, but not SYSTEM. Microsoft provides some… interesting mitigation advice. They recommend disconnecting Domain Controllers from the internet. While that would stop this attack, I’m not sure how practical that would be for most enterprises. I recommend testing and deploying the patch quickly.

–       CVE-2024-49117 – Windows Hyper-V Remote Code Execution Vulnerability
This Critical-rated bug allows someone on a guest VM to execute code on the underlying host OS. They could also perform a cross-VM attack. The good news here is that the attacker does need to be authenticated. The bad news is that the attacker only requires basic authentication – nothing elevated. If you are running Hyper-V or have hosts on a Hyper-V server, you’ll definitely want to get this patched quickly.

–       CVE-2024-49063 – Microsoft/Muzic Remote Code Execution Vulnerability
This bug is interesting for what it affects as much as what it could allow. If you aren’t familiar with it (I wasn’t), “Muzic is a research project on AI music that empowers music understanding and generation with deep learning and artificial intelligence.” It’s also pronounced [ˈmjuːzeik] for some reason. We’ve been wondering what bugs in AI would look like, and so far, they look like deserialization vulnerabilities. That’s what we have here. An attacker could gain code execution by crafting a payload that executes upon deserialization. Neat.

Here’s the full list of CVEs released by Microsoft for December 2024: