59 CVEs primed for Microsoft’s March Patch Tuesday – Sophos Information

On Tuesday Microsoft launched 59 CVEs, together with 41 for Home windows. A exceptional 20 different product teams or instruments are additionally affected. Of the CVEs addressed, simply two are thought of Vital in severity by Microsoft, each in Home windows (particularly, in Hyper-V).

At patch time, not one of the points has been publicly disclosed, or is understood to be below energetic exploit within the wild. Six of the important-severity vulnerabilities in Home windows are by the corporate’s estimation extra more likely to be exploited within the subsequent 30 days. 5 of the problems addressed are amenable to detection by Sophos protections, and we embody data on these in a desk under.

Along with these patches the discharge included advisory data on 4 patches associated to the Edge browser; three of these CVEs have been assigned by the Chrome workforce, not Microsoft. (Extra on Microsoft’s Edge patch, CVE-2024-26167, in a minute.) There’s additionally one Necessary-severity subject, CVE-2023-28746, for which advisory data is given this month.

We don’t embody advisories within the CVE counts and graphics under, however we offer data on all of them in an appendix on the finish of the article. We’re as normal together with on the finish of this put up three different appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

By the Numbers

• Complete Microsoft CVEs (excluding Edge): 59
• Complete Edge / Chrome points coated in replace: 4
• Complete non-Microsoft CVEs coated in replace: 1
• Publicly disclosed: 0
• Exploited: 0
• Severity
  • Vital: 2
  • Necessary: 57
• • Elevation of Privilege: 25
  • Distant Code Execution: 18
  • Denial of Service: 6
  • Data Disclosure: 5
  • Safety Characteristic Bypass: 2
  • Spoofing: 2
  • Tampering: 1

Determine 1: And identical to that, 2024 ties 2023’s whole output of tampering CVEs… at one. Extra on CVE-2024-26185 in a minute

Merchandise

• Home windows: 41 (together with one shared with .NET and Visible Studio)
• Azure: 4 (together with one shared with Log Analytics Agent, OMI, OMS, and SCOM)
• Visible Studio: 3 (together with one shared with .NET and one shared with .NET and Home windows)
• .NET: 2 (together with one shared with Visible Studio and one shared with Visible Studio and Home windows)
• OMI (Open Administration Infrastructure): 2 (together with one shared with Azure, Log Analytics Agent, OMS, and SCOM; and one shared with SCOM)
• SCOM (System Middle Operations Supervisor): 2 (together with one shared with Azure, Log Analytics Agent, OMI, and OMS; and one shared with OMI
• Authenticator: 1
• Defender: 1
• Dynamics 365: 1
• Change: 1
• Intune: 1
• Log Analytics Agent: 1 (shared with Azure, OMI, OMS, and SCOM)
• Workplace (365 on-premises): 1
• OMS (Operations Administration Suite Agent for Linux): 1 (shared with Azure, OMI, and SCOM)
• Outlook: 1
• SharePoint: 1
• Skype: 1
• SONiC (Software program for Open Networking within the Cloud): 1
• SQL: 1
• Groups: 1

Determine 2: There’s one thing for everybody, as twenty instruments or product teams are touched by the March Patch Tuesday angel

Notable March updates

Along with the problems mentioned above, a number of particular objects benefit consideration.

CVE-2024-26185

Home windows Compressed Folder Tampering Vulnerability

One of many six points Microsoft believes extra more likely to be exploited within the subsequent 30 days, this vulnerability impacts the ever present 7zip. Minimal person interplay is required, most probably through electronic mail (during which the attacker sends a specifically crafted file and convinces the person to open it) or through the online. This patch applies solely to Win11 22H2 and Win11 23H2.

CVE-2024-21334

Open Administration Infrastructure (OMI) Distant Code Execution Vulnerability

Sporting the month’s highest CVSS rating (9.8 base) and but not more likely to be exploited within the subsequent 30 days as judged by Microsoft, this RCE applies to not simply OMI however to SCOM (System Middle Operations Supervisor) 2019 and 2022 as properly. If exploited, a unauthenticated distant attacker might entry the OMI occasion through the web and ship specifically crafted requests to set off a use-after-free vulnerability. (If patching’s not a direct possibility, Linux machines that don’t want community listening can disable their incoming OMI ports by means of mitigation.)

CVE-2024-21421

Azure SDK Spoofing Vulnerability

Verify the date of your final deployment: Was it previous to October 19, 2023? If that’s the case, you’ll have to manually replace to Azure Core Construct 1.29.5 or greater. (For comfort, Azure SDK’s GitHub is out there right here.) These with deployments after that date already obtained the repair mechanically.

CVE-2024-21448

Microsoft Groups for Android Data Disclosure

There are a selection of Android-related patches this month – Intune, Outlook, the Edge patch we’ll focus on under – however solely this one, an important-severity Groups subject, would require a visit to the Play Retailer. Exploitation would enable the attacker to learn information from the personal listing of the applying.

CVE-2024-26167

Microsoft Edge for Android Spoofing Vulnerability

As an Edge vulnerability, this one arrives with scant data from Microsoft, which within the post-IE period primarily takes its browser updates outdoors the Patch Tuesday cycle. As an Android vulnerability, it could be that Android customers will take this replace from different sources. What’s clear from Microsoft is that no matter it’s and whoever’s patching it, the patch is just not but out there, and that these involved ought to keep watch over the publicly posted CVE data for updates. Happily, with a 4.3 CVSS base rating, this thriller could be a tempest in a teapot.

Determine 3: March continues the development up to now in 2024 of lighter-than-usual patch masses. Thus far in 2024 there have been 179 patches launched within the regular second-Tuesday cadence, in contrast with 246 in 2023, 225 in 2022, 228 in 2021, and 266 in 2020

Sophos protections

As you’ll be able to each month, in the event you don’t need to wait to your system to tug down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe device to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace bundle to your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

It is a checklist of March patches sorted by impression, then sub-sorted by severity. Every checklist is additional organized by CVE.

Elevation of Privilege (25 CVEs)

Distant Code Execution (18 CVEs)

Denial of Service (6 CVEs)

data Disclosure (5 CVEs)

Safety Characteristic Bypass (2 CVEs)

Spoofing (2 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability

It is a checklist of the March CVEs judged by Microsoft to be extra more likely to be exploited within the wild inside the first 30 days post-release. The checklist is organized by CVE.

Appendix C: Merchandise Affected

It is a checklist of March’s patches sorted by product household, then sub-sorted by severity. Every checklist is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of occasions, as soon as for every product household.

Home windows (41 CVEs)

Azure (4 CVEs)

Visible Studio (3 CVEs)

.NET (2 CVEs)

OMI (2 CVEs)

SCOM (2 CVEs)

Authenticator (1 CVE)

Defender (1 CVE)

Dynamics 365 (1 CVE)

Change (1 CVE)

Intune (1 CVE)

Legislation Analytics Agent (1 CVE)

Workplace (1 CVE)

OMS (1 CVE)

Outlook (1 CVE)

SharePoint (1 CVE)

Skype (1 CVE)

SONiC (1 CVE)

SQL (1 CVE)

Groups for Android (1 CVE)

Appendix D: Advisories and Different Merchandise

It is a checklist of advisories and data on different related CVEs within the March Microsoft launch, sorted by product.

Related to Edge / Chromium (4 CVEs)

Related to Home windows (non-Microsoft launch) (one CVE)