Skip to content Windows Update
Image: PixieMe / Shutterstock
Yesterday was the last Patch Tuesday of 2024, and with it Microsoft has provided a number of security updates, eliminating 71 security vulnerabilities across various Microsoft apps and services.
Microsoft categorizes 16 of these vulnerabilities as “critical” and classifies all but one of the remaining issues as “high risk.” According to the company, one of those Windows security flaws is already being exploited in the wild, so it’s crucial to patch ASAP.
With 1,020 security vulnerabilities patched throughout 2024, this has been the second worst year for Microsoft as far as sheer number of security issues. It was only surpassed once, in 2020, which saw 1,250 security vulnerabilities across the year.
Microsoft offers sparse details on these vulnerabilities in its Security Update Guide. Dustin Childs breaks down Patch Tuesday in a much clearer way on the Trend Micro ZDI blog, always with an eye for admins who manage corporate networks.
Windows security flaws patched
A large proportion of the vulnerabilities — 59 this time around — are spread across the various Windows versions (10, 11, and Server) for which Microsoft still offers security updates.
Although Windows 7 and 8.1 are no longer mentioned in security reports, they could still be vulnerable. If your system requirements allow it, you should switch to Windows 10 22H2 or Windows 11 23H2 to continue receiving security updates. The Windows 11 24H2 update is available, but you might want to hold off until its widespread issues are fixed.
Windows under attack in the wild
According to Microsoft, there are already attacks being made on one particular security vulnerability in Windows. Known as CVE-2024-49138, this buffer overflow issue in the driver of the shared protocol file system has been identified as high risk, allowing an attacker to gain system authorization via elevation of privilege.
In combination with an RCE (Remote Code Execution) security vulnerability, an attacker could gain full control of the Windows system and cause major damage. Such combinations are often seen in ransomware attacks, which are still on the rise today.
Tip: Not only should you be diligently keeping your operating system up to date, but you should also be protecting your PC with reputable antivirus software and VPN software. Check out our top picks for the best Windows antivirus suites and best VPN services.
Other critical Windows security flaws
Microsoft categorizes a total of 16 RCE vulnerabilities in Windows as critical, with the Remote Desktop service alone accounting for nine of them. Even though there are no recorded in-the-wild exploits of these vulnerabilities yet, admins should not ignore them.
The most notable is CVE-2024-49112, an RCE vulnerability in the Lightweight Directory Access Protocol (LDAP) that could allow an attacker to inject code without user login and execute it with elevated privileges. Microsoft recommends disconnecting vulnerable domain controllers from the internet as a mitigation measure against such attacks.
Microsoft also classifies the RCE vulnerability CVE-2024-49117 in Hyper-V as critical. Code from the guest system could break out and be executed on the host system. A simple user login is sufficient for the attacker.
Office security flaws patched
Microsoft has eliminated eight security vulnerabilities in its Office products, including three RCE vulnerabilities. One was in Excel, one was in Access, and the third one (known as CVE-2024-49065) can be exploited via the Outlook preview for file attachments. Fortunately, according to Microsoft, the attacker can’t access user data with this vulnerability, but can prevent its availability.
The first in a long line of AI vulnerabilities?
Microsoft Muzic KI-Schwachstelle
Microsoft Muzic: AI vulnerability
Microsoft
Muzic is an open-source research project by Microsoft that uses deep learning to promote the understanding and creation of music. With CVE-2024-49063, Microsoft has plugged the first of what could be many security flaws in the field of artificial intelligence.
Anyone wondering what AI vulnerabilities might look like: they look like deserialization errors. An attacker can develop malicious code that would be executed when a data stream is converted into an object.
As of December 2024, there’s no new Windows tool for removing malware. The next Patch Tuesday will be on January 14, 2025.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.