Microsoft released a monthly security update on Tuesday that addresses 61 different security vulnerabilities in its software, including two critical issues affecting Windows Hyper-V that could lead to denial of service (DoS) and remote program execution. code.
Of the 61 vulnerabilities, 2 vulnerabilities are rated Critical, 58 vulnerabilities are rated Important, and 1 vulnerability is rated Low severity. At the time of publication, none of the flaws were listed as publicly known or under active attack, but six of them have been flagged for a “more likely to be exploited” assessment.
The company’s Chromium-based Edge browser has fixed 17 security vulnerabilities in addition to these vulnerabilities since the release of the February 2024 Patch Tuesday update.
The most severe flaws are CVE-2024-21407 and CVE-2024-21408, which affect Hyper-V and can lead to remote code execution and DoS conditions respectively.
Microsoft’s update also addresses Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8), and Authenticator (CVE-20909 CVSS score: 7.1).
Successful exploitation of CVE-2024-21390 requires the attacker to have local presence on the device via malware or a malicious application that has been installed through other means. It also requires the victim to close and reopen the authenticator app.
“Exploiting this vulnerability could allow an attacker to access the victim’s account’s multi-factor authentication code and modify or delete accounts in the Authenticator application, but would not prevent the application from launching,” Microsoft said in an advisory. or run.” .
“While exploiting this flaw is considered less likely, we know attackers are keen on finding ways to bypass multi-factor authentication,” Satnam Narang, senior research engineer at Tenable, said in a statement shared with The Hacker News.
“Access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing sites, but if the goal is to remain stealthy, they can maintain that access and steal multi-factor authentication Code to log in effectively locks users out of their accounts by changing passwords and replacing multi-factor authentication devices, attacking sensitive accounts, stealing data, or completely hijacking accounts.”
Another vulnerability of note is a privilege escalation bug in the Print Spooler element (CVE-2024-21433, CVSS score: 7.0), which could allow an attacker to gain system privileges, but only if a race condition is won.
The update also fixes a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that could allow an unauthenticated threat actor to place a specially crafted file on an online directory. And trick the victim into abusing the flaw by opening the file, leading to the execution of the malicious DLL file.
The vulnerability with the highest CVSS rating is CVE-2024-21334 (CVSS score: 9.8), which involves a remote code execution case affecting the Open Management Infrastructure (OMI).
“An unauthenticated remote attacker could access an OMI instance from the Internet and send a specially crafted request to trigger a use-after-free vulnerability,” Redmond said.
“The first season of Patch Tuesday 2024 has been quiet compared to the past four years,” Narang said. “On average, Microsoft patched 237 CVEs from 2020 to the first quarter of 2023. In the first quarter of 2024, Microsoft patched only 181 CVEs. The average number of CVEs patched in March over the past four years was 86. “
Software patches from other vendors
In addition to Microsoft, other vendors have released security updates over the past few weeks to fix multiple vulnerabilities, including —
