Update, Dec. 12, 2024: This story, originally published Dec. 11, now includes further information from security experts regarding another critical vulnerability within the latest Windows security round-up and a reminder of why it’s imperative everyone updates their Windows PC now.
Microsoft has confirmed a zero-day security vulnerability that can open up Windows devices to full system compromise is under active exploitation. The cyberattack has also been confirmed by the U.S. Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, which has added the security issue to the Known Exploited Vulnerability Catalog, and advised it “poses significant risks” with a recommendation for all users to take appropriate remediation measures and update now. Here’s what you need to know about CVE-2024-49138.
The CVE-2024-49138 Threat To Windows Users
The December round of Patch Tuesday vulnerability fixes has been released by Microsoft, and among the 72 vulnerabilities this month is one that needs your full attention right now: CVE-2024-49138.
Not much is known about the vulnerability itself, as is often the case with such zero-day issues this detail is held back until as many users as possible have had the opportunity to patch against the exploit. However, what we do know is that it’s a heap-based buffer overflow vulnerability, a memory security issue, in the Microsoft Windows Common Log File System driver. We also know that it is a very widespread vulnerability impacting millions of Windows users.
“The vulnerability affects all Windows OS editions back to Server 2008,” Chris Goettl, vice president of security product management at Ivanti, said. “The CVE is rated Important by Microsoft and has a CVSSv3.1 score of 7.8. Risk-based prioritization would rate this vulnerability as Critical which makes the Windows OS update this month your top priority.”
CISA also sees this as being a top priority, having added it to the KEV catalog along with stating that it “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation” of the critical issue.
The Ransomware Risk Posed By CVE-2024-49138 To Windows Users
Given that Microsoft has said that it has evidenc
e of in-the-wild exploitation and public disclosure for CVE-2024-49138, it’s no wonder that this is being seen as a critical security moment for Windows users. Although, as Adam Barnett, lead software engineer at Rapid7, sagely pointed out, “for the third month in a row, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication.” Why is this important? Because Windows Common Log File System exploits are a favorite among cybercriminals, especially those participating in the ransomware sector. “Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one,” Barnett said, “expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.” I have approached Microsoft for a statement.
CVE-2024-49138 Is Not The Only Windows Critical Vulnerability This Month
There’s actually only a single security vulnerability with a criticality rating higher than 9.0 this month, and that’s CVE-2024-49112 which targets the lightweight directory access protocol and has been allocated a whopping 9.8 on the risk scale. Unsurprisingly, this vulnerability could lead to remote and unauthenticated code execution, hence the exceptionally high score.
“Microsoft has provided mitigations that are really just proper security hygiene but serve as a good reminder for enterprises,” Tyler Reguly, associate director for security research and development at Fortra, said, “domain controllers must be blocked from Internet access.” Reguly also took the time to look back over the year and calculated that Microsoft had resolved a total of 1088 vulnerabilities which “is surprisingly similar to the 1063 vulnerabilities resolved in 2023 and the 1119 vulnerabilities resolved in 2022.”
In the meantime, all Windows users are urged to update now and not be confused by other headlines seemingly suggesting the contrary. This is about Windows security, not updating your operating system from one major release to another: please, I implore you, do not waste time as those who would compromise your systems and data most certainly won’t be.