Microsoft<\/strong> today released updates to plug at least 70 security holes in Windows<\/strong> and Windows software, including one vulnerability that is already being exploited in active attacks.<\/p>\n The zero-day seeing exploitation involves CVE-2024-49138<\/a>, a security weakness in the Windows Common Log File System<\/strong> (CLFS) driver \u2014 used by applications to write transaction logs \u2014 that could let an authenticated attacker gain \u201csystem\u201d level privileges on a vulnerable Windows device.<\/p>\n The security firm Rapid7<\/strong> notes there have been a series of zero-day elevation of privilege flaws in CLFS over the past few years.<\/p>\n \u201cRansomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one,\u201d wrote Adam Barnett<\/strong>, lead software engineer at Rapid7. \u201cExpect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.\u201d<\/p>\n Elevation of privilege vulnerabilities accounted for 29% of the 1,009 security bugs Microsoft has patched so far in 2024, according to a year-end tally by Tenable<\/strong>; nearly 40 percent of those bugs were weaknesses that could let attackers run malicious code on the vulnerable device.<\/span><\/p>\n Rob Reeves<\/strong>, principal security engineer at Immersive Labs<\/strong>, called special attention to CVE-2024-49112<\/a>, a remote code execution flaw in the Lightweight Directory Access Protocol<\/strong> (LDAP) service on every version of Windows since Windows 7.\u00a0<\/em>CVE-2024-49112 has been assigned a CVSS (badness) score of 9.8 out of 10.<\/p>\n \u201cLDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function,\u201d Reeves said. \u201cMicrosoft hasn\u2019t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required.\u201d<\/p>\n Tyler Reguly<\/strong> at the security firm Fortra<\/strong> had a slightly different 2024 patch tally for Microsoft, at 1,088 vulnerabilities, which he said was surprisingly similar to the 1,063 vulnerabilities resolved in 2023 and the 1,119 vulnerabilities resolved in 2022.<\/p>\n \u201cIf nothing else, we can say that Microsoft is consistent,\u201d Reguly said. \u201cWhile it would be nice to see the number of vulnerabilities each year decreasing, at least consistency lets us know what to expect.\u201d<\/p>\n If you\u2019re a Windows end user and your system is not set up to automatically install updates, please take a minute this week to run Windows Update, preferably after backing up your system and\/or important data.<\/p>\n System admins should keep an eye on AskWoody.com<\/a>, which usually has the details if any of the Patch Tuesday fixes are causing problems. In the meantime, if you run into any problems applying this month\u2019s fixes, please drop a note about in the comments below.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2021\/07\/windupate.png?resize=749%2C527&ssl=1\")
<\/p>\n