Microsoft on Tuesday unveiled its every month security update, addressing 61 various security flaws spanning its computer software, like two critical issues impacting Windows Hyper-V that could guide to denial-of-service (DoS) and distant code execution.
Of the 61 vulnerabilities, two are rated Critical, 58 are rated Critical, and 1 is rated Minimal in severity. None of the flaws are stated as publicly acknowledged or underneath active attack at the time of the release, but 6 of them have been tagged with an “Exploitation More Probably” assessment.
The fixes are in addition to 17 security flaws that have been patched in the firm’s Chromium-based mostly Edge browser given that the release of the February 2024 Patch Tuesday updates.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Topping the listing of critical shortcomings are CVE-2024-21407 and CVE-2024-21408, which have an affect on Hyper-V and could final result in remote code execution and a DoS problem, respectively.
Microsoft’s update also addresses privilege escalation flaws in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.), Windows Composite Picture File Technique (CVE-2024-26170, CVSS rating: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).
Successful exploitation of CVE-2024-21390 involves the attacker to have a community presence on the gadget either through malware or a destructive application previously mounted by using some other suggests. It also necessitates that the victim closes and re-opens the Authenticator application.
“Exploitation of this vulnerability could enable an attacker to acquire entry to multi-factor authentication codes for the victim’s accounts, as perfectly as modify or delete accounts in the authenticator app but not reduce the app from launching or working,” Microsoft reported in an advisory.
“Although exploitation of this flaw is thought of considerably less possible, we know that attackers are eager to locate strategies to bypass multi-factor authentication,” Satnam Narang, senior team study engineer at Tenable, claimed in a assertion shared with The Hacker Information.
“Having accessibility to a focus on gadget is terrible more than enough as they can keep track of keystrokes, steal knowledge and redirect buyers to phishing web-sites, but if the aim is to continue to be stealth, they could retain this accessibility and steal multi-factor authentication codes in order to login to delicate accounts, steal info or hijack the accounts altogether by modifying passwords and replacing the multi-factor authentication unit, correctly locking the person out of their accounts.”
A different vulnerability of observe is a privilege escalation bug in the Print Spooler part (CVE-2024-21433, CVSS rating: 7.) that could allow an attacker to acquire Method privileges but only upon profitable a race condition.
The update also plugs a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS rating: 8.8) that an unauthenticated threat actor could abuse by putting a specially crafted file onto an on the internet directory and tricking a target into opening it, ensuing in the execution of malicious DLL information.
The vulnerability with the maximum CVSS ranking is CVE-2024-21334 (CVSS score: 9.8), which concerns a situation of remote code execution influencing the Open up Administration Infrastructure (OMI).
“A distant unauthenticated attacker could accessibility the OMI occasion from the Internet and deliver specifically crafted requests to induce a use-immediately after-absolutely free vulnerability,” Redmond reported.
“The to start with quarter of Patch Tuesday in 2024 has been quieter in comparison to the final 4 many years,” Narang explained. “On normal, there have been 237 CVEs patched in the very first quarter from 2020 through 2023. In the 1st quarter of 2024, Microsoft only patched 181 CVEs. The common variety of CVEs patched in March around the last 4 years was 86.”
Computer software Patches from Other Suppliers
In addition to Microsoft, security updates have also been unveiled by other distributors in excess of the earlier couple of months to rectify numerous vulnerabilities, like —
- Adobe
- AMD
- Android
- Apple
- Aruba Networks
- Arm
- Bosch
- Canon
- Cisco
- Citrix
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Google Cloud
- Google Put on OS
- Hikvision
- Hitachi Strength
- HP
- IBM
- Intel
- Jenkins
- JetBrains TeamCity
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- MongoDB
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- NVIDIA
- Progress Software program OpenEdge
- QNAP
- Qualcomm
- Samsung
- SAP
- Schneider Electrical
- Siemens
- SolarWinds
- SonicWall
- Spring Framework
- Synology
- VMware
- Zoom, and
- Zyxel
Observed this post fascinating? Observe us on Twitter and LinkedIn to study far more unique articles we publish.
Some elements of this write-up are sourced from:
thehackernews.com