The last Patch Tuesday of the year has been a busy one for Microsoft. As many as 71 vulnerabilities are being closed, including one in Windows that is being actively exploited.
The first Tuesday of the month is traditionally Patch Tuesday at Microsoft. The software giant’s developers are in for a full blast in the latest edition of 2024. In one fell swoop, Microsoft is hitting 21 CVE flies, spread across Windows, Office and Azure.
Sixteen vulnerabilities are labeled “critical,” while all but a few are labeled “high risk. The full list can be found here .
Windows under fire
Of the 71 vulnerabilities, the vast majority, 59 to be exact, were spread in Windows 11, Windows 10 and supported versions of Windows Server. Vulnerability CVE-2024-49138 is getting extra attention. It may not have been labeled critical, but it is the only vulnerability that Microsoft says is being actively exploited.
The vulnerability results from a buffer overflow in the shared protocol file system driver and could allow an attacker to gain system authorization. Combined with one of the many remote code execution(RCE) vulnerabilities, the attacker could cause major damage. It is recommended that you roll out the Windows security update as soon as it is available for your device.
Eight vulnerabilities have been closed for Office applications, including three potentially critical RCE vulnerabilities in Excel, Access and Outlook. The Outlook vulnerability would exploit a preview for file attachments. Microsoft stresses that attackers cannot access user data through this vulnerability, but can make sure you can’t access it yourself.
No record year
After this latest Patch Tuesday, the total number of patched vulnerabilities in Microsoft applications comes to 1,020. That’s just short of a record for Microsoft. In the year 2020, Microsoft had to patch 1,250 times. 2024 will go down in the history books, though, as a year that brought a lot of update misery for Microsoft, with the Windows 11 24H2 update as an embarrassing chronicle.