59 CVEs primed for Microsoft’s March Patch Tuesday – Sophos News

On Tuesday Microsoft launched 59 CVEs, together with 41 for Home windows. A outstanding 20 different product teams or instruments are additionally affected. Of the CVEs addressed, simply two are thought-about Crucial in severity by Microsoft, each in Home windows (particularly, in Hyper-V).

At patch time, not one of the points has been publicly disclosed, or is understood to be underneath lively exploit within the wild. Six of the important-severity vulnerabilities in Home windows are by the corporate’s estimation extra more likely to be exploited within the subsequent 30 days. 5 of the problems addressed are amenable to detection by Sophos protections, and we embrace info on these in a desk under.

Along with these patches the discharge included advisory info on 4 patches associated to the Edge browser; three of these CVEs had been assigned by the Chrome workforce, not Microsoft. (Extra on Microsoft’s Edge patch, CVE-2024-26167, in a minute.) There’s additionally one Vital-severity situation, CVE-2023-28746, for which advisory info is given this month.

We don’t embrace advisories within the CVE counts and graphics under, however we offer info on all of them in an appendix on the finish of the article. We’re as ordinary together with on the finish of this submit three different appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

By the Numbers

• Whole Microsoft CVEs (excluding Edge): 59
• Whole Edge / Chrome points coated in replace: 4
• Whole non-Microsoft CVEs coated in replace: 1
• Publicly disclosed: 0
• Exploited: 0
• Severity
  • Crucial: 2
  • Vital: 57
• • Elevation of Privilege: 25
  • Distant Code Execution: 18
  • Denial of Service: 6
  • Info Disclosure: 5
  • Safety Function Bypass: 2
  • Spoofing: 2
  • Tampering: 1

Determine 1: And identical to that, 2024 ties 2023’s whole output of tampering CVEs… at one. Extra on CVE-2024-26185 in a minute

Merchandise

• Home windows: 41 (together with one shared with .NET and Visible Studio)
• Azure: 4 (together with one shared with Log Analytics Agent, OMI, OMS, and SCOM)
• Visible Studio: 3 (together with one shared with .NET and one shared with .NET and Home windows)
• .NET: 2 (together with one shared with Visible Studio and one shared with Visible Studio and Home windows)
• OMI (Open Administration Infrastructure): 2 (together with one shared with Azure, Log Analytics Agent, OMS, and SCOM; and one shared with SCOM)
• SCOM (System Heart Operations Supervisor): 2 (together with one shared with Azure, Log Analytics Agent, OMI, and OMS; and one shared with OMI
• Authenticator: 1
• Defender: 1
• Dynamics 365: 1
• Alternate: 1
• Intune: 1
• Log Analytics Agent: 1 (shared with Azure, OMI, OMS, and SCOM)
• Workplace (365 on-premises): 1
• OMS (Operations Administration Suite Agent for Linux): 1 (shared with Azure, OMI, and SCOM)
• Outlook: 1
• SharePoint: 1
• Skype: 1
• SONiC (Software program for Open Networking within the Cloud): 1
• SQL: 1
• Groups: 1

Determine 2: There’s one thing for everybody, as twenty instruments or product teams are touched by the March Patch Tuesday angel

Notable March updates

Along with the problems mentioned above, a number of particular gadgets advantage consideration.

CVE-2024-26185

Home windows Compressed Folder Tampering Vulnerability

One of many six points Microsoft believes extra more likely to be exploited within the subsequent 30 days, this vulnerability impacts the ever present 7zip. Minimal consumer interplay is required, almost definitely by way of e mail (wherein the attacker sends a specifically crafted file and convinces the consumer to open it) or by way of the net. This patch applies solely to Win11 22H2 and Win11 23H2.

CVE-2024-21334

Open Administration Infrastructure (OMI) Distant Code Execution Vulnerability

Sporting the month’s highest CVSS rating (9.8 base) and but not more likely to be exploited within the subsequent 30 days as judged by Microsoft, this RCE applies to not simply OMI however to SCOM (System Heart Operations Supervisor) 2019 and 2022 as nicely. If exploited, a unauthenticated distant attacker might entry the OMI occasion by way of the web and ship specifically crafted requests to set off a use-after-free vulnerability. (If patching’s not a direct possibility, Linux machines that don’t want community listening can disable their incoming OMI ports by the use of mitigation.)

CVE-2024-21421

Azure SDK Spoofing Vulnerability

Examine the date of your final deployment: Was it previous to October 19, 2023? If that’s the case, you’ll must manually replace to Azure Core Construct 1.29.5 or increased. (For comfort, Azure SDK’s GitHub is on the market right here.) These with deployments after that date already obtained the repair mechanically.

CVE-2024-21448

Microsoft Groups for Android Info Disclosure

There are a variety of Android-related patches this month – Intune, Outlook, the Edge patch we’ll talk about under – however solely this one, an important-severity Groups situation, would require a visit to the Play Retailer. Exploitation would permit the attacker to learn information from the personal listing of the applying.

CVE-2024-26167

Microsoft Edge for Android Spoofing Vulnerability

As an Edge vulnerability, this one arrives with scant info from Microsoft, which within the post-IE period primarily takes its browser updates exterior the Patch Tuesday cycle. As an Android vulnerability, it could be that Android customers will take this replace from different sources. What’s clear from Microsoft is that no matter it’s and whoever’s patching it, the patch isn’t but obtainable, and that these involved ought to keep watch over the publicly posted CVE info for updates. Thankfully, with a 4.3 CVSS base rating, this thriller could be a tempest in a teapot.

Determine 3: March continues the pattern thus far in 2024 of lighter-than-usual patch hundreds. Thus far in 2024 there have been 179 patches launched within the regular second-Tuesday cadence, in contrast with 246 in 2023, 225 in 2022, 228 in 2021, and 266 in 2020

Sophos protections

As you’ll be able to each month, in the event you don’t wish to wait on your system to drag down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re working, then obtain the Cumulative Replace package deal on your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

This can be a checklist of March patches sorted by affect, then sub-sorted by severity. Every checklist is additional organized by CVE.

Elevation of Privilege (25 CVEs)

Distant Code Execution (18 CVEs)

Denial of Service (6 CVEs)

info Disclosure (5 CVEs)

Safety Function Bypass (2 CVEs)

Spoofing (2 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability

This can be a checklist of the March CVEs judged by Microsoft to be extra more likely to be exploited within the wild inside the first 30 days post-release. The checklist is organized by CVE.

Appendix C: Merchandise Affected

This can be a checklist of March’s patches sorted by product household, then sub-sorted by severity. Every checklist is additional organized by CVE. Patches which can be shared amongst a number of product households are listed a number of occasions, as soon as for every product household.

Home windows (41 CVEs)

Azure (4 CVEs)

Visible Studio (3 CVEs)

.NET (2 CVEs)

OMI (2 CVEs)

SCOM (2 CVEs)

Authenticator (1 CVE)

Defender (1 CVE)

Dynamics 365 (1 CVE)

Alternate (1 CVE)

Intune (1 CVE)

Regulation Analytics Agent (1 CVE)

Workplace (1 CVE)

OMS (1 CVE)

Outlook (1 CVE)

SharePoint (1 CVE)

Skype (1 CVE)

SONiC (1 CVE)

SQL (1 CVE)

Groups for Android (1 CVE)

Appendix D: Advisories and Different Merchandise

This can be a checklist of advisories and data on different related CVEs within the March Microsoft launch, sorted by product.

Related to Edge / Chromium (4 CVEs)

Related to Home windows (non-Microsoft launch) (one CVE)