December 10, 2024 at 03:55PM
This month, Microsoft has released 72 fixes, with CVE-2024-49138 posing an immediate risk due to active exploitation. Adobe, on the other hand, issued 167 fixes, including 91 for Adobe Experience Manager and critical updates for Adobe Connect. Users are urged to patch vulnerabilities across all platforms promptly.
### Meeting Takeaways
#### Microsoft Patch Tuesday Highlights:
– **Total Fixes**: 72 updates were released by Microsoft this month.
– **Critical Vulnerability**:
– **CVE-2024-49138**: Actively exploited vulnerability in the Windows Common Log File System Driver leads to escalation of privilege attacks. Affects:
– Windows 10 and 11
– Server 2019 and later
– **Highest-Rated Vulnerability**:
– **CVE-2024-49112**: CVSS score of 9.8; linked to Windows LDAP. Difficult to exploit but allows remote code execution on Windows 10 and server versions since 2008. Recommended workaround: Block inbound RPCs from untrusted networks.
– **Top Exploitation Risks**:
1. **CVE-2024-49093**: Vulnerability in Windows Resilient File System (CVSS 8.8); enables malicious operators to escalate privileges.
2. **CVE-2024-49088**, **CVE-2024-49090**, **CVE-2024-49114**: Elevation of privilege vulnerabilities requiring no user interaction.
3. **CVE-2024-49070**: SharePoint issue needing local access for exploitation.
4. **CVE-2024-49122**: Remote code execution vulnerability in Microsoft Message Queuing.
#### Adobe Patch Updates:
– **Total Fixes**: Adobe issued 167 updates.
– **Adobe Experience Manager**: 91 flaws fixed; one classified as critical.
– **Adobe Connect**: 22 flaws fixed with six critical, including a CVSS 9.3 improper access control issue.
– **Acrobat**: Six flaws fixed, none exceeding CVSS 7.
– **Adobe Animate**: 13 flaws, all with a CVSS score of 7.8.
– **InDesign & Substance 3D Modeler**: Each with nine issues, none exceeding CVSS 7.8.
– **Adobe Media Encoder**: Four flaws with three allowing arbitrary code execution; includes a denial-of-service issue.
– **Illustrator & Substance 3D Painter**: Both have critical issues needing attention.
### Action Items:
– Review and prioritize patching for vulnerabilities, especially CVE-2024-49138 and CVE-2024-49112.
– Implement workarounds where applicable, especially for LDAP-related vulnerabilities.
– Ensure critical updates for Adobe products, focusing on Experience Manager and Connect.
### Next Steps:
– Schedule training sessions or communications regarding best practices in patch management.
– Monitor for any further advisories from Microsoft and Adobe regarding the patched vulnerabilities.