Microsoft’s December Patch Tuesday release looks pretty straight-forward. They’ve resolved 70 new CVEs affecting Windows OS, Office, SharePoint, System Center Operations Monitor, Defender and a Microsoft AI project called Muzic.

Adobe has released several updates, including Acrobat and Acrobat Reader. For details on all 16 Adobe product updates, check out their security advisory page. Adobe has set all updates as a priority 3 this month.

Google Chrome has not released at the time of this blog but is expected to release soon.

Microsoft summary

While most of that lineup is pretty normal, the Microsoft Muzic AI project is an interesting one. CVE-2024-49063 is a remote code execution vulnerability in Microsoft Muzic. To resolve this, CVE developers would need to take the latest build from GitHub to update their implementation.

Priority wise, the big one for December is the Windows OS update, which accounts for 58, including all 16 Critical CVEs and the one Known Exploited CVE.

Zero-day vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2024-49138), which could allow an attacker to gain SYSTEM privileges on the affected system. The vulnerability affects all Windows OS editions back to Server 2008. The vulnerability is confirmed to be exploited in the wild, and some information about the vulnerability has been publicly disclosed, but that disclosure may not include code samples. The CVE is rated Important by Microsoft and has a CVSSv3.1 score of 7.8. Risk-based prioritization would rate this vulnerability as Critical, which makes the Windows OS update this month your top priority.

Ivanti security updates

Ivanti has released five security advisories for December, resolving a total of 11 CVEs. Affected products include Ivanti Cloud Service Application, Desktop and Server Management, Connect Secure and Policy Secure, and Patch SDK. For more details on the vulnerabilities resolved and links to product updates see the December Security Update.

December update priorities

  • The Windows OS update is the highest priority this month, resolving 16 critical CVEs, one zero-day, and a total of 58 of the 70 new CVEs resolved by Microsoft this month.
  • Third-party updates for Chrome and Acrobat/Acrobat Reader and the Microsoft Office updates should be part of your normal maintenance schedule this month.