Microsoft closed 2024 with 730 CVEs stamped “Patch Tuesday”, 11 of them under active exploit before the ink dried. Here is the concise scorecard security teams asked for — no vendor links, just the bugs that still bite and the free tools that fix them faster.
- Zero-Days That Refused to Die
CVE-2024-21410 | Exchange NTLM Relay
Still seeing intranet relay on port 445; disable NTLMv1 now — no registry key, no drama.
CVE-2024-21412 | SmartScreen Bypass
Malicious MSI slipped past SmartScreen via embedded .cab; December CU finally closes the hole. If you delayed May, patch this week — phishing kits still carry the template. - Critical but Quiet
CVE-2024-29988 | Windows Hyper-V RCE
Requires VM escape; no public exploit yet, but cloud hosts should move this to the top quartile.
CVE-2024-30015 | DHCP Server Remote Code
Patch hit in June; most domain controllers rebooted. If you run DHCP on a DC “for convenience,” migrate it — the bug is weaponisable with one crafted Discover packet. - The Forgotten 61
February and May bundles fixed 134 CVEs combined. Two stand-outs:
- Outlook click-to-run privilege jump (CVE-2024-21345) — patch pushed via CDN; if Outlook.exe is older than 16.0.17231.20236, hit File > Update Now.
- Excel Web Query (CVE-2024-21413) — opens when a user clicks “Refresh All”; macro-less, ideal for invoice-themed phish.
- Free Tools That Speed Up the Roll-out
WSUS-Offline-Community | Generates an ISO with every CU since 2021; perfect for air-gapped labs.
PSWindowsUpdate | One-liner:Install-WindowsUpdate -KBArticleID KB5046619 -AcceptAll— no SCCM needed.
Windows Update for Business Reports | Shows patch compliance by SKU; filter on “SecurityUpdate” and export to CSV for auditors. - Patch-Chain Order (Tested on 21H2/22H2)
a) Servicing Stack Update (SSU) — reboot
b) Latest Cumulative Update (LCU) — reboot
c) .NET CU (if server hosts Framework apps) — reboot
d) Defender Platform Update — no reboot
Skipping SSU slows the next scan by 30-40 %; ask any help-desk why “Windows is stuck at 20 %.” - Verification in 30 Seconds
Run from elevated PowerShell:Get-HotFix -Id KB5046619
If Status = “Installed,” move on. If blank, the box is still naked. - What About Windows 10 21H2?
Support ended in June 2024. ESU patches exist but cost roughly $61 per desktop for year-one. Migrate or isolate; don’t hope. - Forensics Side Note
FOR500 alumnae report that un-patched February CVEs leave behind a WMI script inroot\subscriptioncalledSCMEventConsumer. If you see it, the relay already happened—collect the image and patch during containment. - Bottom Line
Patch Tuesday is only a starting line. Exchange and DHCP need love this month; everything else can wait until the holiday change-freeze. Script the roll-out, log the hash, reboot once—and you can enjoy the egg-nog without an incident bridge.
正文完
