Patch Tuesday December 2024: No Patch for New NTLM Zero-Day Until April 2025

The last Patch Tuesday of 2024 brings holiday surprises in the form of an unpatched zero-day vulnerability that has been present in the Windows OS since Windows 7. However, there is a fix for another zero-day vulnerability affecting the Windows Common Log File System and mitigation recommendations for multiple vulnerabilities. While there are only 71 vulnerabilities being addressed this month through cumulative and security updates some significant considerations will need to be given to the Microsoft recommended mitigations associated with the unpatched vulnerability.

Microsoft Vulnerabilities

A total of 71 vulnerabilities were addressed with fixes for December’s Patch Tuesday. Included in those are fixes for one zero-day vulnerability that is marked as publicly disclosed and Under Active Exploitation, along with a CVSS 9.8 vulnerability affecting Lightweight Directory Access Protocol (LDAP) that should be receiving attention from all system administrators. Within this month’s release notes Microsoft also released mitigation guidance on patched and an unpatched vulnerabilities that will require review, these include:

CVE-2024-49112 is a remote code execution vulnerability affecting the Windows Lightweight Directory Access Protocol (LDAP) carrying a CVSS of 9.8. As this vulnerability is present in practically all Windows OS builds since Windows Server 2008 it will likely become common for threat actors and malware to begin taking advantage of this vulnerability once proof of concept is released, or the fixes are reversed engineered by security researchers or threat actors. As exploitation of this vulnerability would allow a remote unauthenticated attacker to execute arbitrary code against LDAP server services it will be important to apply this patch in a timely manner or follow Microsoft’s recommended mitigations for this vulnerability to “ensure that domain controllers are configured either to not access the internet or to not allow inbound RPC from untrusted networks”.

CVE-2024-49138 Windows Common Log File System Driver privilege elevation is the zero-day vulnerability that is under current exploitation in the wild. This vulnerability affects all Windows systems since Server 2008 and while it is marked only as Important, because this vulnerability is Under Active Exploitation it should be prioritized.

Also important in the discussion of this month’s batch of vulnerability fixes is that security researchers from ACROS Security reported the discovery of a zero-day NTLM Hash disclosure vulnerability that affects all version of Windows since Windows 7 and Server 2008 R2. While Microsoft has been made aware of the vulnerability and the researchers are not releasing information on the vulnerability until Microsoft has had time to address it, this will be months away. In the meantime, threat actors and other security researchers are sure to be picking apart any information available to reverse engineer the micropatch provided by ACROS Security through their 0patch platform. Microsoft has provided guidance on how to combat NTLM-based attacks through the use of Extend Protection for Authentication.  

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd