Microsoft’s March Updates Fix 61 Vulnerabilities, Including Critical Hyper-V Flaws

Microsoft on Tuesday unveiled its every month security update, addressing 61 various security flaws spanning its computer software, like two critical issues impacting Windows Hyper-V that could guide to denial-of-service (DoS) and distant code execution.

Of the 61 vulnerabilities, two are rated Critical, 58 are rated Critical, and 1 is rated Minimal in severity. None of the flaws are stated as publicly acknowledged or underneath active attack at the time of the release, but 6 of them have been tagged with an “Exploitation More Probably” assessment.

The fixes are in addition to 17 security flaws that have been patched in the firm’s Chromium-based mostly Edge browser given that the release of the February 2024 Patch Tuesday updates.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

Topping the listing of critical shortcomings are CVE-2024-21407 and CVE-2024-21408, which have an affect on Hyper-V and could final result in remote code execution and a DoS problem, respectively.

Microsoft’s update also addresses privilege escalation flaws in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.), Windows Composite Picture File Technique (CVE-2024-26170, CVSS rating: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).

Successful exploitation of CVE-2024-21390 involves the attacker to have a community presence on the gadget either through malware or a destructive application previously mounted by using some other suggests. It also necessitates that the victim closes and re-opens the Authenticator application.

“Exploitation of this vulnerability could enable an attacker to acquire entry to multi-factor authentication codes for the victim’s accounts, as perfectly as modify or delete accounts in the authenticator app but not reduce the app from launching or working,” Microsoft reported in an advisory.

“Although exploitation of this flaw is thought of considerably less possible, we know that attackers are eager to locate strategies to bypass multi-factor authentication,” Satnam Narang, senior team study engineer at Tenable, claimed in a assertion shared with The Hacker Information.

“Having accessibility to a focus on gadget is terrible more than enough as they can keep track of keystrokes, steal knowledge and redirect buyers to phishing web-sites, but if the aim is to continue to be stealth, they could retain this accessibility and steal multi-factor authentication codes in order to login to delicate accounts, steal info or hijack the accounts altogether by modifying passwords and replacing the multi-factor authentication unit, correctly locking the person out of their accounts.”

A different vulnerability of observe is a privilege escalation bug in the Print Spooler part (CVE-2024-21433, CVSS rating: 7.) that could allow an attacker to acquire Method privileges but only upon profitable a race condition.

The update also plugs a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS rating: 8.8) that an unauthenticated threat actor could abuse by putting a specially crafted file onto an on the internet directory and tricking a target into opening it, ensuing in the execution of malicious DLL information.

The vulnerability with the maximum CVSS ranking is CVE-2024-21334 (CVSS score: 9.8), which concerns a situation of remote code execution influencing the Open up Administration Infrastructure (OMI).

“A distant unauthenticated attacker could accessibility the OMI occasion from the Internet and deliver specifically crafted requests to induce a use-immediately after-absolutely free vulnerability,” Redmond reported.

“The to start with quarter of Patch Tuesday in 2024 has been quieter in comparison to the final 4 many years,” Narang explained. “On normal, there have been 237 CVEs patched in the very first quarter from 2020 through 2023. In the 1st quarter of 2024, Microsoft only patched 181 CVEs. The common variety of CVEs patched in March around the last 4 years was 86.”

Computer software Patches from Other Suppliers

In addition to Microsoft, security updates have also been unveiled by other distributors in excess of the earlier couple of months to rectify numerous vulnerabilities, like —

• Adobe
• AMD
• Android
• Apple
• Aruba Networks
• Arm
• Bosch
• Canon
• Cisco
• Citrix
• CODESYS
• Dell
• Drupal
• F5
• Fortinet
• GitLab
• Google Chrome
• Google Cloud
• Google Put on OS
• Hikvision
• Hitachi Strength
• HP
• IBM
• Intel
• Jenkins
• JetBrains TeamCity
• Lenovo
• Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• MongoDB
• Mozilla Firefox, Firefox ESR, and Thunderbird
• NETGEAR
• NVIDIA
• Progress Software program OpenEdge
• QNAP
• Qualcomm
• Samsung
• SAP
• Schneider Electrical
• Siemens
• SolarWinds
• SonicWall
• Spring Framework
• Synology
• VMware
• Zoom, and
• Zyxel

Observed this post fascinating? Observe us on Twitter  and LinkedIn to study far more unique articles we publish.