Both affect the Windows Hyper-V virtualization technology: CVE-2024-21407, a remote code execution bug; and CVE-2024-21408, which is a denial-of-service vulnerability.
The update includes fixes for a total of 18 RCE flaws and two dozen elevation-of-privilege vulnerabilities, some of which allow threat actors to gain administrative control of affected systems.
Critical RCE, DoS Hyper-V Vulnerabilities The RCE bug in Hyper-V gives attackers a way to take complete control of affected systems and potentially compromise virtual machines housed on the Hyper-V server, says Sarah Jones, cyber threat intelligence research analyst at Critical Start.
The DoS vulnerability allows an adversary to crash the Hyper-V service, rendering it unusable.
A Flurry of Microsoft Privilege-Escalation Bugs Microsoft identified six of the vulnerabilities it disclosed this week as flaws that threat actors are more likely to exploit in future.
Most of these were elevation-of-privilege vulnerabilities.
Satnam Narang, senior staff researcher at Tenable, described the privilege-escalation flaws as likely to be of more interest in a post-exploit scenario to advanced persistent threat actors, rather than for ransomware groups and other financially motivated actors.
In an emailed comment, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, pointed to the Windows Kernel elevation of privilege vulnerability as something an attacker would be able to exploit only if they already gained access to an affected system.
The bug would allow an attacker to gain complete system-level privileges.
Saeed Abbasi, manager of vulnerability research at Qualys' threat research unit, identifies the bug as one that should be high on the patch priority list because of that score.
While Microsoft considers exploitation less likely, the simplicity of the attack vector - a use-after-free bug - against a critical component suggests that the threat level should not be underestimated, he cautions.
In the past, bugs such as the OMIGOD set of OMI vulnerabilities in 2021 have been of high interest to attackers.
He also pointed to an elevation-of-privilege bug in Microsoft Authenticator as something that administrators should pay attention to.
Overall, for administrators used to dealing with large Microsoft patch volumes, the past three months have been something of a break from the usual.
This is the second straight month that Microsoft has not disclosed a zero-day bug in its monthly security update.
In the first quarter of the year, Microsoft has issued patches for a total of 181 CVEs, which is substantially lower than its first-quarter average of 237 patches in each of the previous four years, Tenable's Narang noted.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 12 Mar 2024 22:10:18 +0000