December 20224 Patch Tuesday Posting

December Patch Tuesday 2024: Critical Updates, Zero-Days, and Deployment Guidance

Greg Lambert
December 13, 2024
6 minutes

Microsoft has released 74 updates this December Patch Tuesday that patch Microsoft Windows, Office and Edge. No updates for Microsoft Exchange Server or SQL server this month. One zero-day (CVE-2024-49138) affecting how Windows desktops handle error logs requires a “Patch Now” update for the Windows platform. Microsoft Office, Visual Studio and Edge patches can be added to your standard release schedule. There are several revisions this month that require attention before deployment, including two (CVE-2023-36435 and CVE-2023-38171) that will require extensive testing. The team at Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this December update cycle. 

Known Issues 

Other than the Roblox issue, Microsoft has published a reduced set of known issues for this December release cycle.

  • There have been reports that the OpenSSH (Open Secure Shell) service fails to start, preventing SSH connections. The service fails with no detailed logging, and manual intervention is required to run the sshd.exe process. Microsoft has offered several mitigation options for those who are still affected.
  • For those still on Windows Server 2008 you may receive warnings that Windows Update has failed to complete successfully. Microsoft is working on this issue and expects a fix to be released soon. Many users will now have to move to the second stage of “Extended Support Updates) or “ESU”.

Major Revisions

For this final Patch Tuesday in 2024, we have the following revisions to previously released updates:

  • CVE-2023-36435 and CVE-2023-38171: Microsoft QUIC Denial of Service Vulnerability. This is the third update to this 2-year-old series of patches to the Microsoft .NET platform. Rather than a strictly information update, these patches will need to be added to your December release schedule.
  • CVE-2024-49112 : Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This is a release of this month’s update. This does not happen often as this patch was only released 24-hours ago. In fact, due to an error in the documentation, this patch was duplicated in the release notes as well. 
  • CVE-2023-44487: HTTP/2 Rapid Reset Attack. The update relates to a change in affected software – meaning that all recent supported versions of Microsoft .NET and Visual Studio are included in the scope of the patch. Add this update to your development update release schedule for December.
  • CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability. This late edition revision has been widely reported in the news as it affects older versions of Windows Server (2008 and 2012) and has received some generous technical support from outside Microsoft.

This is an unusual month for revisions, with several patches from 2023 updated in the final months of 2024, with increased scopes and associated testing requirements. The Readiness team advises extra caution addressing both CVE-2023-36435 and CVE-2023-38171.

Windows Lifecycle and Enforcement Updates 

No product or security enforcements for this December update cycle. However, Microsoft has noted that:

 “There won’t be a non-security preview release for the month of December 2024. There will be a monthly security release for December 2024. Normal monthly servicing for both security and non-security preview releases will resume in January 2025.”

Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

For this December release cycle from Microsoft, we have grouped the critical updates and required testing efforts into different functional areas including:

  1. Networking and Remote Desktop Services. 

This month’s update addresses key components of Microsoft’s Remote Desktop Services with the following testing guidance:

  • Test RDP connections over the Microsoft Remote Desktop Gateway
  • Try RPC over HTTP/HTTPS pathways while validating Remote Desktop broker features.
  • Test out DNS signing key operations for RRAS environments.
  • Validate WAN port operations (try netsh commands)
  1. Local Windows File System and Storage

Minor changes to the Windows desktop file system will require a test of the ReFS system (light CRUD testing required). Due to changes in how Windows handles non-English characters a test of Input Method Editors (IME’s) is required for Japanese formats. 

  1. Virtual Machines and Microsoft Hyper-V

A minor update to a key virtualization driver will require some traffic testing and monitoring for Microsoft’s Hyper-V and virtualization platforms. 

The team at Readiness has had a look at these recent updates, and while they are generally low-profile patches to Windows subsystems, we feel that the primary testing effort this month should be on validating remote network traffic. The file system and Hyper-V changes require light testing. The goal for most enterprises is to get these Microsoft updates deployed before change control “lock-down” this coming Friday (yes, the 13th).

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

  • Browsers (Microsoft IE and Edge) 
  • Microsoft Windows (both desktop and server) 
  • Microsoft Office
  • Microsoft Exchange Server 
  • Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
  • Adobe (if you get this far) 

Browsers 

Just two minor updates for Microsoft Edge this month with CVE-2024-12053 and 

CVE-2024-49041 both rated as important by Microsoft. Add these low-profile changes to your standard release schedule.

Windows 

Though there is a strong focus on networking, this December release also affects the following Windows features:

  • Windows Remote Desktop and related routing servers
  • Windows Kernel and Kernel Mode Drivers
  • Printing
  • Microsoft Hyper-V
  • Microsoft LDAP and LSASS
  • Windows Error Reporting

Unfortunately, there is a zero-day (CVE-2024-49138) that has been reported as publicly disclosed and reported as exploited in the wild that affects how Windows creates error log files. Add these Windows updates your Patch Now Release cycle

Microsoft Office 

Microsoft has released nine patches to Microsoft Office this December, all rated as important by Microsoft. In addition, Microsoft has offered some additional security measures and mitigations to the Microsoft Office platform this month with the release of the advisory ADV240002 which covers the following areas:

  • Perimeter Defense
  • Network Security
  • Endpoint Protection
  • Application Security

This month’s update affects Microsoft Excel, SharePoint and core Microsoft Office libraries. Add these patches to your standard Microsoft Office release schedule.

Microsoft SQL (nee Exchange) Server 

No updates for either Microsoft SQL or Exchange server for this December release. 

Microsoft Development Platforms 

Microsoft has released a single update to the experimental AI music project Muzic with CVE-2024-49063. We are going to take this as a “win” with no further updates to Microsoft .NET or Visual Studio.

Adobe Reader (And other 3rd party updates) 

Adobe has released a completely normal, run-of-the mill update to both Reader and Acrobat this December (Adobe Release notes). This is good news. This Adobe update has not been included in the Microsoft release cycle, which is as it should be. Adding to the huge, globally shared sense of relief, Adobe has chosen to modify their patching methodology to fall in line with industry best practices. Long suffering IT administrators have had to create (and maintain) “process workflow exceptions” to handle Adobe updates – usually with complex PowerShell scripts. No longer. Thank you, Adobe – there is no greater gift than a few less things to do (repeatedly).

For those readers who have enjoyed delving into the deeper details of all things patching, the Readiness team would like to say, “Thank you for the time and attention and we look forward to New Year”. No surprises, eh?

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started