Microsoft’s December 2024 Patch Tuesday Addresses 70 CVEs (CVE-2024-49138)

On December 10, Microsoft released its December 2024 Patch Tuesday release, the final Patch Tuesday of 2024. This update addresses 70 CVEs and one advisory with 16 rated critical, including one zero-day that was exploited in the wild.

CVE-2024-49138 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time our blog post was published.

This month’s update includes patches for:

• GitHub
• Microsoft Defender for Endpoint
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office Publisher
• Microsoft Office SharePoint
• Microsoft Office Word
• Remote Desktop Client
• Role: DNS Server
• Role: Windows Hyper-V
• System Center Operations Manager
• Windows Cloud Files Mini Filter Driver
• Windows Common Log File System Driver
• Windows File Explorer
• Windows IP Routing Management Snapin
• Windows Kernel
• Windows Kernel-Mode Drivers
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows Message Queuing
• Windows Mobile Broadband
• Windows PrintWorkflowUserSvc
• Windows Remote Desktop
• Windows Remote Desktop Services
• Windows Resilient File System (ReFS)
• Windows Routing and Remote Access Service (RRAS)
• Windows Task Scheduler
• Windows Virtualization-Based Security (VBS) Enclave
• Windows Wireless Wide Area Network Service
• WmsRepair Service

For more information, please visit our blog.