Update, Dec. 12, 2024: This story, initially printed Dec. 11, now contains additional info from safety consultants concerning one other crucial vulnerability inside the newest Windows safety round-up and a reminder of why it’s crucial everybody updates their Windows PC now.
Microsoft has confirmed a zero-day safety vulnerability that may open up Windows units to full system compromise is underneath energetic exploitation. The cyberattack has additionally been confirmed by the U.S. Cybersecurity and Infrastructure Security Agency, a part of the Department of Homeland Security, which has added the safety subject to the Known Exploited Vulnerability Catalog, and suggested it “poses vital dangers” with a suggestion for all customers to take acceptable remediation measures and replace now. Here’s what you might want to find out about CVE-2024-49138.
The CVE-2024-49138 Threat To Windows Users
The December spherical of Patch Tuesday vulnerability fixes has been launched by Microsoft, and among the many 72 vulnerabilities this month is one which wants your full consideration proper now: CVE-2024-49138.
Not a lot is understood concerning the vulnerability itself, as is usually the case with such zero-day points this element is held again till as many customers as attainable have had the chance to patch towards the exploit. However, what we do know is that it’s a heap-based buffer overflow vulnerability, a reminiscence safety subject, within the Microsoft Windows Common Log File System driver. We additionally know that it’s a very widespread vulnerability impacting tens of millions of Windows customers.
“The vulnerability impacts all Windows OS editions again to Server 2008,” Chris Goettl, vp of safety product administration at Ivanti, stated. “The CVE is rated Important by Microsoft and has a CVSSv3.1 rating of seven.8. Risk-based prioritization would charge this vulnerability as Critical which makes the Windows OS replace this month your high precedence.”
CISA additionally sees this as being a high precedence, having added it to the KEV catalog together with stating that it “CISA strongly urges all organizations to cut back their publicity to cyberattacks by prioritizing well timed remediation” of the crucial subject.
The Ransomware Risk Posed By CVE-2024-49138 To Windows Users
Given that Microsoft has stated that it has evidenc
e of in-the-wild exploitation and public disclosure for CVE-2024-49138, it’s no marvel that that is being seen as a crucial safety second for Windows customers. Although, as Adam Barnett, lead software program engineer at Rapid7, sagely identified, “for the third month in a row, Microsoft has printed zero-day vulnerabilities on Patch Tuesday with out evaluating any of them as crucial severity at time of publication.” Why is that this vital? Because Windows Common Log File System exploits are a favourite amongst cybercriminals, particularly these collaborating within the ransomware sector. “Ransomware authors who’ve abused earlier CLFS vulnerabilities can be solely too happy to get their arms on a recent one,” Barnett stated, “anticipate extra CLFS zero-day vulnerabilities to emerge sooner or later, at the least till Microsoft performs a full alternative of the ageing CLFS codebase as an alternative of providing spot fixes for particular flaws.” I’ve approached Microsoft for a press release.
CVE-2024-49138 Is Not The Only Windows Critical Vulnerability This Month
There’s truly solely a single safety vulnerability with a criticality score greater than 9.0 this month, and that’s CVE-2024-49112 which targets the light-weight listing entry protocol and has been allotted a whopping 9.8 on the chance scale. Unsurprisingly, this vulnerability may result in distant and unauthenticated code execution, therefore the exceptionally excessive rating.
“Microsoft has offered mitigations which can be actually simply correct safety hygiene however function a very good reminder for enterprises,” Tyler Reguly, affiliate director for safety analysis and growth at Fortra, stated, “area controllers have to be blocked from Internet entry.” Reguly additionally took the time to look again over the 12 months and calculated that Microsoft had resolved a complete of 1088 vulnerabilities which “is surprisingly much like the 1063 vulnerabilities resolved in 2023 and the 1119 vulnerabilities resolved in 2022.”
In the meantime, all Windows customers are urged to replace now and never be confused by different headlines seemingly suggesting the opposite. This is about Windows safety, not updating your working system from one main launch to a different: please, I implore you, don’t waste time as those that would compromise your programs and knowledge most definitely received’t be.