On Tuesday, Microsoft rolled out its monthly security update, addressing a total of 61 security vulnerabilities across its software, with two critical flaws affecting Windows Hyper-V, potentially leading to denial-of-service (DoS) and remote code execution.
Out of the 61 vulnerabilities, two are labeled Critical, 58 are deemed Important, and one is rated as Low in severity. At the time of release, none of the flaws were reported as publicly known or actively exploited. However, six vulnerabilities were marked with an “Exploitation More Likely” assessment.
These updates come on top of the 17 security flaws addressed in Microsoft’s Chromium-based Edge browser since the February 2024 Patch Tuesday updates.
The most significant critical vulnerabilities, CVE-2024-21407 and CVE-2024-21408, impact Hyper-V, posing risks of remote code execution and a DoS condition, respectively.
Microsoft’s latest update also tackles privilege escalation flaws in various services, including Azure Kubernetes Service Confidential Container, Windows Composite Image File System, and Authenticator. Notably, the Authenticator flaw (CVE-2024-21390) requires local access on the victim’s device, potentially granting attackers access to multi-factor authentication codes and the ability to modify or delete accounts.
A notable privilege escalation bug in the Print Spooler component (CVE-2024-21433) allows attackers to obtain SYSTEM privileges through a race condition.
Furthermore, the update addresses a remote code execution vulnerability in Exchange Server (CVE-2024-26198), exploitable by an unauthenticated attacker placing a specially crafted file in an online directory to trick victims into opening it.
The highest-rated CVSS vulnerability, CVE-2024-21334, involves remote code execution in the Open Management Infrastructure (OMI), with a potential for exploitation by a remote, unauthenticated attacker triggering a use-after-free vulnerability.
The first quarter of 2024’s Patch Tuesday is noted to be comparatively quieter than the previous four years, with Microsoft patching 181 CVEs, whereas the average for the same period in 2020-2023 was 237 CVEs. March’s average CVE patches over the last four years stood at 86.
Several other vendors have also released security updates to address vulnerabilities in their respective software, including Adobe, AMD, Android, Apple, Aruba Networks, and many more.