Microsoft released its monthly security update on Tuesday, fixing 61 different security flaws affecting its software, including two critical issues affecting Windows Hyper-V that could lead to denial of service (DoS) and code execution in remote mode.
Of the 61 vulnerabilities, two are rated critical, 58 are rated important, and one has a low severity rating. None of the flaws are listed as publicly known or under active attack at the time of release, but six of them have been labeled with an “Exploitation Most Likely” rating.
The fixes add to the 17 security flaws that have been fixed in the company’s Chromium-based Edge browser since the release of the February 2024 Patch Tuesday updates.
At the top of the list of critical flaws are CVE-2024-21407 and CVE-2024-21408, which affect Hyper-V and could result in remote code execution and a DoS condition, respectively.
Microsoft’s update also addresses privilege escalation flaws in the Azure Kubernetes Service Reserved Container (CVE-2024-21400, CVSS Score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8) and in the authenticator (CVE- 2024-21390, CVSS score: 7.1).
Successfully exploiting CVE-2024-21390 requires the attacker to be present locally on the device via malware or a malicious application already installed through other means. The victim also needs to close and reopen the Authenticator app.
“Exploitation of this vulnerability could allow an attacker to gain access to multi-factor authentication codes for victim accounts, as well as modify or delete accounts in the authenticator app, but would not prevent it from launching or running of the app,” Microsoft said in an advisory. .
“While exploitation of this flaw is considered less likely, we know that attackers are eager to find ways to bypass multi-factor authentication,” said Satnam Narang, senior research engineer at Tenable, in a statement shared with The Hacker News .
“Having access to a targeted device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain invisible, they could maintain this access and steal passwords. multi-factor authentication to access sensitive accounts, steal data, or take full control of accounts by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”
Another notable vulnerability is a privilege escalation bug in the Print Spooler component (CVE-2024-21433, CVSS score: 7.0) which could allow an attacker to gain SYSTEM privileges but only after overcoming a race condition .
The update also links a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that an unauthenticated threat actor could abuse by inserting a specially crafted file into an online directory and tricking the victim into opening it, resulting in the execution of malicious DLL files.
The vulnerability with the highest CVSS score is CVE-2024-21334 (CVSS score: 9.8), which concerns a remote code execution case affecting Open Management Infrastructure (OMI).
“An unauthenticated, remote attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability,” Redmond said.
“The first quarter of Patch Tuesday 2024 was quieter than the last four years,” Narang said. “On average, 237 CVEs were applied in the first quarter of 2020 to 2023. In the first quarter of 2024, Microsoft applied only 181 CVEs. The average number of CVEs applied in March over the last four years was 86.”
Software patches from other vendors
In addition to Microsoft, security updates from other vendors have also been released in recent weeks to fix several vulnerabilities, including: