Skip to main content
To Customer Support To Customer Support

This release consists of the following 72 Microsoft CVEs:
Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations?

System Center Operations Manager CVE-2024-43594
Microsoft Office CVE-2024-43600
Microsoft Edge (Chromium-based) CVE-2024-49041
Microsoft Defender for Endpoint CVE-2024-49057
Microsoft Office CVE-2024-49059
Microsoft Office SharePoint CVE-2024-49062
GitHub CVE-2024-49063
Microsoft Office SharePoint CVE-2024-49064
Microsoft Office Word CVE-2024-49065
Microsoft Office SharePoint CVE-2024-49068
Microsoft Office Excel CVE-2024-49069
Microsoft Office SharePoint CVE-2024-49070
Windows Task Scheduler CVE-2024-49072
Windows Mobile Broadband CVE-2024-49073
Windows Kernel-Mode Drivers CVE-2024-49074
Windows Remote Desktop Services CVE-2024-49075
Windows Virtualization-Based Security (VBS) Enclave CVE-2024-49076
Windows Mobile Broadband CVE-2024-49077
Windows Mobile Broadband CVE-2024-49078
Microsoft Office Publisher CVE-2024-49079
Windows IP Routing Management Snapin CVE-2024-49080
Windows Wireless Wide Area Network Service CVE-2024-49081
Windows File Explorer CVE-2024-49082
Windows Mobile Broadband CVE-2024-49083
Windows Kernel CVE-2024-49084
Windows Routing and Remote Access Service (RRAS) CVE-2024-49085
Windows Routing and Remote Access Service (RRAS) CVE-2024-49086
Windows Mobile Broadband CVE-2024-49087
Windows Common Log File System Driver CVE-2024-49088
Windows Routing and Remote Access Service (RRAS) CVE-2024-49089
Windows Common Log File System Driver CVE-2024-49090
Role: DNS Server CVE-2024-49091
Windows Mobile Broadband CVE-2024-49092
Windows Resilient File System (ReFS) CVE-2024-49093
Windows Wireless Wide Area Network Service CVE-2024-49094
Windows PrintWorkflowUserSvc CVE-2024-49095
Windows Message Queuing CVE-2024-49096
Windows PrintWorkflowUserSvc CVE-2024-49097
Windows Wireless Wide Area Network Service CVE-2024-49098
Windows Wireless Wide Area Network Service CVE-2024-49099
Windows Wireless Wide Area Network Service CVE-2024-49101
Windows Routing and Remote Access Service (RRAS) CVE-2024-49102
Windows Wireless Wide Area Network Service CVE-2024-49103
Windows Routing and Remote Access Service (RRAS) CVE-2024-49104
Remote Desktop Client CVE-2024-49105
Windows Remote Desktop Services CVE-2024-49106
WmsRepair Service CVE-2024-49107
Windows Remote Desktop Services CVE-2024-49108
Windows Wireless Wide Area Network Service CVE-2024-49109
Windows Mobile Broadband CVE-2024-49110
Windows Wireless Wide Area Network Service CVE-2024-49111
Windows LDAP - Lightweight Directory Access Protocol CVE-2024-49112
Windows LDAP - Lightweight Directory Access Protocol CVE-2024-49113
Windows Cloud Files Mini Filter Driver CVE-2024-49114
Windows Remote Desktop Services CVE-2024-49115
Windows Remote Desktop Services CVE-2024-49116
Role: Windows Hyper-V CVE-2024-49117
Windows Message Queuing CVE-2024-49118
Windows Remote Desktop Services CVE-2024-49119
Windows Remote Desktop Services CVE-2024-49120
Windows LDAP - Lightweight Directory Access Protocol CVE-2024-49121
Windows Message Queuing CVE-2024-49122
Windows Remote Desktop Services CVE-2024-49123
Windows LDAP - Lightweight Directory Access Protocol CVE-2024-49124
Windows Routing and Remote Access Service (RRAS) CVE-2024-49125
Windows Local Security Authority Subsystem Service (LSASS) CVE-2024-49126
Windows LDAP - Lightweight Directory Access Protocol CVE-2024-49127
Windows Remote Desktop Services CVE-2024-49128
Windows Remote Desktop Services CVE-2024-49129
Windows Remote Desktop CVE-2024-49132
Windows Common Log File System Driver CVE-2024-49138
Microsoft Office Access CVE-2024-49142
We are republishing 1 non-Microsoft CVEs:
CNA Tag CVE FAQs? Workarounds? Mitigations?
Chrome Microsoft Edge (Chromium-based) CVE-2024-12053

Security Update Guide Blog Posts
Date Blog Post
November 12, 2024 Toward greater transparency: Publishing machine-readable CSAF files
June 27, 2024 Toward greater transparency: Unveiling Cloud Service CVEs
April 9, 2024 Toward greater transparency: Security Update Guide now shares CWEs for CVEs
January 6, 2023 Publishing CBL-Mariner CVEs on the Security Update Guide CVRF API
January 11, 2022 Coming Soon: New Security Update Guide Notification System
February 9, 2021 Continuing to Listen: Good News about the Security Update Guide API
January 13, 2021 Security Update Guide Supports CVEs Assigned by Industry Partners
December 8, 2020 Security Update Guide: Let’s keep the conversation going
November 9, 2020 Vulnerability Descriptions in the New Version of the Security Update Guide

Relevant Resources

  • The new Hotpatching feature is now generally available. Please see Hotpatching feature for Windows Server Azure Edition virtual machines (VMs) for more information.
  • Windows 10 and Windows 11 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10 and Windows 11, in addition to non-security updates. The updates are available via the Microsoft Update Catalog. For information on lifecycle and support dates for Windows 10 and Windows 11 operating systems, please see Windows Lifecycle Facts Sheet.
  • Microsoft is improving Windows Release Notes. For more information, please see What's next for Windows release notes.
  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Customers running Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates. See 4522133 for more information.

Known Issues
You can see these in more detail from the Deployments tab by selecting Known Issues column in the Edit Columns panel.

For more information about Windows Known Issues, please see Windows message center (links to currently-supported versions of Windows are in the left pane).

KB Article Applies To
5048667 Windows 11, version 24H2
5048685 Windows 11, version 22H2, Windows 11, version 23H2
5048710 Windows Server 2008 (Monthly Rollup)
5048744 Windows Server 2008 (Security-only update)

Released: Dec 10, 2024
December 2024 Security Updates - Release Notes - Security Update Guide - Microsoft

CVEs have been published or revised in the Security Update Guide

December 12, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2023-36435

  • Title: Microsoft QUIC Denial of Service Vulnerability
  • Version: 3.0
  • Reason for revision: To comprehensively address CVE-2023-36435, Microsoft has released security updates on October 24, 2023 for .NET 7.0. Microsoft recommends that customers running .NET install the updates to be fully protected from the vulnerability.
  • Originally released: October 10, 2023
  • Last updated: December 10, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes

CVE-2023-38171

  • Title: Microsoft QUIC Denial of Service Vulnerability
  • Version: 3.0
  • Reason for revision: To comprehensively address CVE-2023-38171, Microsoft released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
  • Originally released: October 10, 2023
  • Last updated: December 10, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes

CVE-2023-44487

  • Title: MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
  • Version: 2.0
  • Reason for revision: To comprehensively address CVE-2023-44487, Microsoft released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
  • Originally released: October 10, 2023
  • Last updated: December 10, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes

CVE-2024-38033

  • Title: PowerShell Elevation of Privilege Vulnerability
  • Version: 2.0
  • Reason for revision: To comprehensively address CVE-2024-38033, Microsoft released security updates on December 10, 2024 for all affected versions of Windows Server 2012 and Windows Server 2012 R2. Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
  • Originally released: July 9, 2024
  • Last updated: December 10, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes

CVE-2024-49112

  • Title: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
  • Version: 1.1
  • Reason for revision: Added FAQ information. This is an informational change only.
  • Originally released: December 10, 2024
  • Last updated: December 11, 2024
  • Aggregate CVE severity rating: Critical
  • Customer action required: Yes

CVE-2024-49112

  • Title: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
  • Version: 1.2
  • Reason for revision: Added FAQ to provide further vulnerability details. This is an informational change only.
  • Originally released: December 10, 2024
  • Last updated: December 11, 2024
  • Aggregate CVE severity rating: Critical
  • Customer action required: Yes
  

CVEs have been published or revised in the Security Update Guide
December 12, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-49071

  • Title: Windows Defender Information Disclosure Vulnerability
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 12, 2024
  • Last updated: December 12, 2024
  • Aggregate CVE severity rating: Critical
  • Customer action required: No

CVE-2024-49147

  • Title: Microsoft Update Catalog Elevation of Privilege Vulnerability
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 12, 2024
  • Last updated: December 12, 2024
  • Aggregate CVE severity rating: Critical
  • Customer action required: No

CVEs have been published or revised in the Security Update Guide

December 12, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-12381

  • Title: Chromium: CVE-2024-12381 Type Confusion in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 12, 2024
  • Last updated: December 12, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12382

  • Title: Chromium: CVE-2024-12382 Use after free in Translate
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 12, 2024
  • Last updated: December 12, 2024
  • Aggregate CVE severity rating:

Customer action required: Yes

CVEs have been published or revised in the Security Update Guide

December 13, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-43451

  • Title: NTLM Hash Disclosure Spoofing Vulnerability
  • Version: 2.0
  • Reason for revision: In the Security Update table, removed Windows Server 2012 and Windows Server 2012 (Server Core installation) as these Server versions are not affected by this vulnerability. This is an informational change only
  • Originally released: November 12, 2024
  • Last updated: December 12, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes

CVE-2024-49035

  • Title: Partner.Microsoft.Com Elevation of Privilege Vulnerability
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: November 26, 2024
  • Last updated: November 26, 2024
  • Aggregate CVE severity rating: Critical
  • Customer action required: No

CVE-2024-49038

  • Title: Microsoft Copilot Studio Elevation Of Privilege Vulnerability
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: November 26, 2024
  • Last updated: November 26, 2024
  • Aggregate CVE severity rating: Critical
  • Customer action required: No

CVE-2024-49052

  • Title: Microsoft Azure PolicyWatch Elevation of Privilege Vulnerability
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: November 26, 2024
  • Last updated: November 26, 2024
  • Aggregate CVE severity rating: Critical
  • Customer action required: No

CVE-2024-49053

  • Title: Microsoft Dynamics 365 Sales Spoofing Vulnerability
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: November 26, 2024
  • Last updated: November 26, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes
  

CVEs have been published or revised in the Security Update Guide

December 19, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-12692

  • Title: Chromium: CVE-2024-12692 Type Confusion in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12693

  • Title: Chromium: CVE-2024-12693 Out of bounds memory access in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12694

  • Title: Chromium: CVE-2024-12694 Use after free in Compositing
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12695

  • Title: Chromium: CVE-2024-12695 Out of bounds write in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes
  

CVEs have been published or revised in the Security Update Guide
December 20, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-12692

  • Title: Chromium: CVE-2024-12692 Type Confusion in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12693

  • Title: Chromium: CVE-2024-12693 Out of bounds memory access in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12694

  • Title: Chromium: CVE-2024-12694 Use after free in Compositing
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12695

  • Title: Chromium: CVE-2024-12695 Out of bounds write in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-43594

  • Title: Microsoft System Center Elevation of Privilege Vulnerability
  • Version: 2.0
  • Reason for revision: Revised the Security Updates table to specify Microsoft System Center is affected by CVE-2024-43594. Customers running affected versions of Microsoft System Center must delete the existing installer setup files (.exe) and then download the latest version of their Microsoft System Center product to mitigate the vulnerability.
  • Originally released: December 10, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes

Security advisories were published or revised in Microsoft Security Update Guide

December 23, 2024

The following security advisories (ADVs) were recently published or revised in the Microsoft Security Update Guide:

  

 

ADV2915720

  • Title: Changes in Windows Authenticode Signature Verification
  • Version 1
  • Originally released: December 23, 2024
  • Last updated: December 13, 2024
  

CVEs have been published or revised in the Security Update Guide

December 23, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-12692

  • Title: Chromium: CVE-2024-12692 Type Confusion in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12693

  • Title: Chromium: CVE-2024-12693 Out of bounds memory access in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12694

  • Title: Chromium: CVE-2024-12694 Use after free in Compositing
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-12695

  • Title: Chromium: CVE-2024-12695 Out of bounds write in V8
  • Version: 1.0
  • Reason for revision: Information published.
  • Originally released: December 19, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating:
  • Customer action required: Yes

CVE-2024-43594

  • Title: Microsoft System Center Elevation of Privilege Vulnerability
  • Version: 2.0
  • Reason for revision: Revised the Security Updates table to specify Microsoft System Center is affected by CVE-2024-43594. Customers running affected versions of Microsoft System Center must delete the existing installer setup files (.exe) and then download the latest version of their Microsoft System Center product to mitigate the vulnerability.
  • Originally released: December 10, 2024
  • Last updated: December 19, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes

CVE-2024-43600

  • Title: Microsoft Office Elevation of Privilege Vulnerability
  • Version: 2.0
  • Reason for revision: In the Security Updates Table, removed KB2920716 from the Office 2016 for 32-bit version as this update does not apply to this version.
  • Originally released: December 10, 2024
  • Last updated: December 23, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes
  

CVEs have been published or revised in the Security Update Guide

December 27, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-43601

  • Title: Visual Studio Code for Linux Remote Code Execution Vulnerability
  • Version: 1.1
  • Reason for revision: Updated the CVSS score and corrected FAQs. This is an informational change only.
  • Originally released: October 8, 2024
  • Last updated: November 8, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes

CVE-2024-43601

  • Title: Visual Studio Code for Linux Remote Code Execution Vulnerability
  • Version: 1.2
  • Reason for revision: Clarified that the product containing the vulnerability is Visual Studio Code for Linux. This is an informational change only.
  • Originally released: October 8, 2024
  • Last updated: December 27, 2024
  • Aggregate CVE severity rating: Important
  • Customer action required: Yes
  

CVEs have been published or revised in the Security Update Guide

December 31, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-49051

  • Title: Microsoft PC Manager Elevation of Privilege Vulnerability
  • Version: 2.0
  • Reason for revision: To comprehensively address CVE-2024-49051, Microsoft released security updates on December 10, 2024 for Microsoft PC Manager. Microsoft recommends that customers running this product install the updates to be fully protected from the vulnerability.
  • Originally released: November 12, 2024
  • Last updated: December 31, 2024
  • Aggregate CVE severity rating: Important

Customer action required: Yes

@TripleHelix Moving this to Vulnerability vault :) 

 

https://community.opentextcybersecurity.com/p/ThreatIntelHub

@TripleHelix Moving this to Vulnerability vault :) 

 

https://community.opentextcybersecurity.com/p/ThreatIntelHub

Kwel!

Reply


Terms & Conditions