The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities.
Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V. Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines on Windows.
A virtual machine is a computer program that emulates a physical computer.
The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.
The Common Vulnerabilities and Exposures database lists publicly disclosed computer security flaws.
CVE-2024-21407 is a Windows Hyper-V Remote Code Execution vulnerability with a CVSS score of 8.1 out of 10.
Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.
CVE-2024-21408 is a Windows Hyper-V Denial of Service vulnerability with a CVSS score of 5.5 out of 10.
Microsoft did not provide any additional details on how this DOS could occur.
The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation.
Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10.
SCOM is a set of tools in Microsoft's System Center for infrastructure monitoring and application performance management.
A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.
OMI is an open source technology for environment management software products for Linux and Unix-based systems.
Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program's operation.
If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program.
Other vendors have synchronized their periodic updates with Microsoft.
The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.
Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities.
Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.
This Cyber News was published on www.malwarebytes.com. Publication date: Wed, 13 Mar 2024 16:13:05 +0000