On March Patch Day 2024, Microsoft issued security notices for 59 vulnerabilities. There are several vulnerabilities that are classified as critical and need to be addressed. What is encouraging, however, is that, according to the Redmond company's findings, none of the gaps have been actively attacked yet.
Advertisement
Microsoft's CVE Entry Summary lists 63 entries for March, three of which are updates to older vulnerability reports and one about an Intel vulnerability. Products from all Microsoft divisions are affected, from Android software, operating systems and virtualization to Azure cloud software.
Two critical vulnerabilities on patch day
A vulnerability in the System Center Operations Manager (SCOM) affects the Open Management Infrastructure (OMI). Attackers can access the OMI instance over the Internet without prior authentication and send specially crafted requests to exploit a use-after-free vulnerability to inject malicious code (CVE-2024-21334, CVSS 9.8Risk “critical“). As a countermeasure, IT managers can deactivate the OMI ports on Linux computers that do not require network monitoring, Microsoft's developers write in the security notice.
In Microsoft's Azure Kubernetes Service (AKS) Confidential Container, attackers can also expand their rights and access login information (CVE-2024-21400, CVSS 9.0, critical). The security notice explains how IT managers can take protective measures against abuse of the vulnerability.
Deviating from the CVSS classification, Microsoft classifies two vulnerabilities in Hyper-V as “critical”. It is a security vulnerability that allows attackers to inject malicious code (CVE-2024-21407, CVSS 8.1, hoch) and a denial of service vulnerability (CVE-2024-21408, CVSS 5.5, medium).
Microsoft considers vulnerabilities in the printer spooler, the Microsoft Graphics component, the Cloud Files Mini Filter Driver, the Windows Composite Image file system, the Windows kernel and compressed folders to be very likely. IT managers should therefore not put off applying the available updates, but rather act quickly.
On February Patch Day, Microsoft closed a security hole in the Exchange server that had already been actively attacked.
(dmk)