Microsoft on Tuesday launched its month-to-month safety replace, addressing 61 completely different safety flaws spanning its software program, together with two important points impacting Home windows Hyper-V that would result in denial-of-service (DoS) and distant code execution.
Of the 61 vulnerabilities, two are rated Vital, 58 are rated Essential, and one is rated Low in severity. Not one of the flaws are listed as publicly identified or underneath energetic assault on the time of the discharge, however six of them have been tagged with an “Exploitation Extra Probably” evaluation.
The fixes are along with 17 safety flaws which have been patched within the firm’s Chromium-based Edge browser for the reason that launch of the February 2024 Patch Tuesday updates.
Topping the record of important shortcomings are CVE-2024-21407 and CVE-2024-21408, which have an effect on Hyper-V and will lead to distant code execution and a DoS situation, respectively.
Microsoft’s replace additionally addresses privilege escalation flaws within the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS rating: 9.0), Home windows Composite Picture File System (CVE-2024-26170, CVSS rating: 7.8), and Authenticator (CVE-2024-21390, CVSS rating: 7.1).
Profitable exploitation of CVE-2024-21390 requires the attacker to have a neighborhood presence on the system both through malware or a malicious utility already put in through another means. It additionally necessitates that the sufferer closes and re-opens the Authenticator app.
“Exploitation of this vulnerability may permit an attacker to achieve entry to multi-factor authentication codes for the sufferer’s accounts, in addition to modify or delete accounts within the authenticator app however not stop the app from launching or working,” Microsoft mentioned in an advisory.
“Whereas exploitation of this flaw is taken into account much less probably, we all know that attackers are eager to seek out methods to bypass multi-factor authentication,” Satnam Narang, senior employees analysis engineer at Tenable, mentioned in a press release shared with The Hacker Information.
“Getting access to a goal system is unhealthy sufficient as they’ll monitor keystrokes, steal information and redirect customers to phishing web sites, but when the purpose is to stay stealth, they might preserve this entry and steal multi-factor authentication codes with the intention to login to delicate accounts, steal information or hijack the accounts altogether by altering passwords and changing the multi-factor authentication system, successfully locking the person out of their accounts.”
One other vulnerability of observe is a privilege escalation bug within the Print Spooler part (CVE-2024-21433, CVSS rating: 7.0) that would allow an attacker to acquire SYSTEM privileges however solely upon successful a race situation.
The replace additionally plugs a distant code execution flaw in Change Server (CVE-2024-26198, CVSS rating: 8.8) that an unauthenticated menace actor may abuse by inserting a specifically crafted file onto a web-based listing and tricking a sufferer into opening it, ensuing within the execution of malicious DLL information.
The vulnerability with the very best CVSS ranking is CVE-2024-21334 (CVSS rating: 9.8), which considerations a case of distant code execution affecting the Open Administration Infrastructure (OMI).
“A distant unauthenticated attacker may entry the OMI occasion from the Web and ship specifically crafted requests to set off a use-after-free vulnerability,” Redmond mentioned.
“The primary quarter of Patch Tuesday in 2024 has been quieter in comparison with the final 4 years,” Narang mentioned. “On common, there have been 237 CVEs patched within the first quarter from 2020 by way of 2023. Within the first quarter of 2024, Microsoft solely patched 181 CVEs. The typical variety of CVEs patched in March over the past 4 years was 86.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —