Microsoft has fixed more than 60 vulnerabilities in its products

During the March Patch Tuesday, Microsoft released over 60 patches (plus four Microsoft Edge vulnerabilities fixed on March 7). Eighteen of the patched vulnerabilities allowed for remote code execution, although no 0-day vulnerabilities were addressed this month.

The patches this month addressed two critical vulnerabilities, CVE-2024-21407 and CVE-2024-21408: remote code execution and denial of service (DoS) in Hyper-V.

“CVE-2024-21407 vulnerability requires an authenticated attacker on the guest VM to send specially crafted file operation requests to the VM targeting hardware resources, which could lead to remote code execution on the host server,” Microsoft stated.

According to the company, exploiting this issue successfully requires the attacker to gather environment-specific information and take a series of additional actions before the attack.

Also of note are the following issues addressed this month.

CVE-2024-21400 is a privilege escalation vulnerability in Microsoft Azure Kubernetes confidential containers, allowing attackers to gain elevated privileges and steal credentials.

“An attacker who successfully exploits this vulnerability could steal credentials and affect resources beyond the security zone managed by Azure Kubernetes Service Confidential Containers (AKSCC),” Microsoft explained in its statement.

CVE-2024-26199 is a privilege escalation vulnerability in Microsoft Office, allowing any authenticated user to gain SYSTEM privileges.

“Any authenticated user can exploit this vulnerability. Administrator rights or other elevated privileges are not required,” experts wrote.

CVE-2024-20671 is a vulnerability bypassing Microsoft Defender’s protective features. The bug could allow an authenticated attacker to prevent Microsoft Defender from starting.

The issue has been addressed with updates to the Windows Defender Antimalware Platform, which are automatically installed on Windows devices. The flaw is fixed in version 4.18.24010.12 of the Antimalware Platform.

CVE-2024-21334 is a critical RCE vulnerability in the Open Management Infrastructure (OMI), allowing a remote unauthenticated attacker to access an OMI instance from the internet, send a specially crafted request, and trigger a user-after-free issue.

CVE-2024-21411 is a remote code execution vulnerability in Skype for Consumer. This issue can be exploited by a malicious link or image.

“An attacker can exploit the vulnerability by sending a malicious link or image to the user via instant messaging and then convincing them to click on the link or image,” Microsoft said.

In addition to Microsoft, other companies have released patches for their products this week:

  • Adobe fixed 56 vulnerabilities (including critical ones) in Experience Manager, Premiere Pro, ColdFusion, Bridge, Lightroom, and Animate. None of the issues were exploited by hackers.
  • Intel released eight patches to fix 11 vulnerabilities in its hardware, embedded, and software products. None of them are critical.
  • SAP published more than ten security bulletins. One of them describes a code injection vulnerability rated 9.4 on the CVSS scale, which manifests in applications created with SAP Build Apps.
  • Cisco released updates for several of its products, including the latest patch for CVE-2023-20214, first disclosed last year. This bug allowed an unauthenticated remote attacker to gain read permissions and limited write rights on the affected Cisco SD-WAN vManage instance.
0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment