The March 2024 edition of Microsoft’s Patch Tuesday is just around the corner, fixing dozens of vulnerabilities, including two critical issues that could lead to remote code execution (RCE) and escalation of privilege.
In its advisory, Microsoft announced it was addressing 61 CVEs, in addition to the 17 Edge flaws that had been fixed a few weeks earlier. Of these 61 vulnerabilities, two are classified as critical, 58 as important and one as low. The company said the flaws were not publicly known or actively exploited.
However, six of them were marked as ‘more likely to be exploited’, likely suggesting that they were relatively easy to discover and exploit, and that it was only a matter of time before a threat actor found them.
Fixed Hyper-V errors
That being said, the two critical vulnerabilities are being tracked as CVE-2024-21334 and CVE-2024-21400. The first has a severity score of 9.8 and is described as an Open Management Infrastructure (OMI) remote code execution vulnerability. The latter, on the other hand, has a severity score of 9.0 and is described as an Azure Kubernetes Service Confidential Container Elevation of Privilege vulnerability.
In addition to these two, other mentions of note include CVE-2024-21407 and CVE-2024-21408, two flaws that affect Hyper-V and allow threat actors to perform not only RCE but also Denial-of-Service (DoS)- to attack.
This month’s Patch Tuesday also fixes a number of vulnerabilities discovered in third-party products such as Adobe, AMD, Citrix, Chrome, NVIDIA, and many others. The full list of vulnerabilities fixed this month can be found at this link.
Every second Tuesday of the month, Microsoft releases cumulative updates, addressing as many vulnerabilities as possible (apart from critical updates that are released as they become available, and are usually known as out-of-band patches). This is a long-standing practice in the IT industry that was picked up by many companies, including Adobe and Oracle, and formalized by Microsoft in late 2003.