Microsoft fixes 61 vulnerabilities, including critical Hyper-V flaws, in its March updates.
On Tuesday, Microsoft published its monthly security update, which addressed 61 separate security weaknesses in its software, including two major concerns affecting Windows Hyper-V that might result in denial-of-service (DoS) and remote code execution.
Two of the 61 vulnerabilities are classified as critical, 58 as important, and one as low severity. None of the defects were reported as publicly known or under active assault at the time of the release, however six of them were assigned a “Exploitation More Likely” rating.
Thousands of Roku accounts were compromised in a credential stuffing an attack.
The improvements add to the 17 security weaknesses addressed in the company’s Chromium-based Edge browser since the February 2024 Patch Tuesday upgrades.
The top two significant flaws are CVE-2024-21407 and CVE-2024-21408, which impact Hyper-V and might result in remote code execution and a DoS scenario, respectively.
Microsoft’s update also fixes privilege escalation problems in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).
To successfully exploit CVE-2024-21390, the attacker must have a local presence on the device, either by malware or by installing a malicious program through another methods. It also requires that the victim shut and reopen the Authenticator app.
“Exploitation of this vulnerability could allow an attacker to gain access to multi-factor authentication codes for the victim’s accounts, as well as modify or delete accounts in the authenticator app but not prevent the app from launching or running,” according to a security alert issued by Microsoft.
“While exploiting this flaw is less likely, we know that attackers are eager to find ways to bypass multi-factor authentication,” Satnam Narang, senior staff research engineer at Tenable, said in a statement published by The Hacker News.
“Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”
Another notable vulnerability is a privilege escalation problem in the Print Spooler component (CVE-2024-21433, CVSS score: 7.0), which might allow an attacker to gain SYSTEM rights by winning a race scenario.
The update also addresses a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that an unauthenticated threat actor could exploit by uploading a specially crafted file to an online directory and tricking a victim into opening it, resulting in the execution of malicious DLL files.
The agency in charge of US cybersecurity was compromised.
The vulnerability with the highest CVSS rating is CVE-2024-21334 (CVSS score: 9.8), which concerns a remote code execution attack on the Open Management Infrastructure (OMI).
“A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability,” Redmond noted in a statement.
“The first quarter of Patch Tuesday in 2024 has been quieter compared to the last four years,” Narang told reporters. “On average, 237 CVEs were fixed in the first quarter from 2020 to 2023. In the first quarter of 2024, Microsoft fixed just 181 CVE. The average number of CVEs fixed in March during the previous four years was 86.”