Father
Professional
- Messages
- 2,602
- Reaction score
- 837
- Points
- 113
Microsoft has outdone itself by actively patching holes in Windows, Office, Azure, and other products.
In the latest security update, Patch Tuesday, Microsoft announced a record number of fixes: 149 vulnerabilities were fixed in products such as Windows, Office, Azure .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker и Windows Seсure Boot.
This is the company's biggest patch release since 2017, says Dustin Childs of the Zero Day Initiative (ZDI). At the same time, only three of the vulnerabilities discovered in April received the highest risk rating, when only two were exploited as zero-day vulnerabilities before the patch was released.
Particular attention was drawn to the vulnerability in Outlook for Windows-CVE-2024-20670 (CVSS: 8.1), which allows you to capture a user's password through a fraudulent link in an email.
In addition, hard-coded credentials were found in Azure, the vulnerability ID CVE-2024-29063 (CVSS: 7.3). This raises security concerns in the context of recent attacks on artificial intelligence.
In turn, CVE-2024-29988 (CVSS: 8.8) demonstrates the ability to bypass Windows SmartScreen, which has already been used by attackers in real attacks. The same fate also affected CVE-2024-26234 (CVSS: 6.7), which is a vulnerability for spoofing the proxy driver, which was also exploited by hackers before the fix.
Overall, the release is notable for eliminating 68 remote code execution (RCE) errors, 31 privilege escalation errors, 26 security bypass errors, and 6 denial-of-service (DoS) errors. Interestingly, 24 out of 26 security bypass errors are related to the Secure Boot function.
Microsoft's monthly security updates emphasize the importance of constant attention to software vulnerabilities, especially in the critical infrastructure and technologies that our daily lives depend on.
Although most of the identified vulnerabilities were quickly fixed, they demonstrate the vulnerability of our systems to inventive cybercriminals. All of this should encourage software manufacturers, security experts, and end users to take an even more vigilant and coordinated approach to cybersecurity.
In the latest security update, Patch Tuesday, Microsoft announced a record number of fixes: 149 vulnerabilities were fixed in products such as Windows, Office, Azure .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker и Windows Seсure Boot.
This is the company's biggest patch release since 2017, says Dustin Childs of the Zero Day Initiative (ZDI). At the same time, only three of the vulnerabilities discovered in April received the highest risk rating, when only two were exploited as zero-day vulnerabilities before the patch was released.
Particular attention was drawn to the vulnerability in Outlook for Windows-CVE-2024-20670 (CVSS: 8.1), which allows you to capture a user's password through a fraudulent link in an email.
In addition, hard-coded credentials were found in Azure, the vulnerability ID CVE-2024-29063 (CVSS: 7.3). This raises security concerns in the context of recent attacks on artificial intelligence.
In turn, CVE-2024-29988 (CVSS: 8.8) demonstrates the ability to bypass Windows SmartScreen, which has already been used by attackers in real attacks. The same fate also affected CVE-2024-26234 (CVSS: 6.7), which is a vulnerability for spoofing the proxy driver, which was also exploited by hackers before the fix.
Overall, the release is notable for eliminating 68 remote code execution (RCE) errors, 31 privilege escalation errors, 26 security bypass errors, and 6 denial-of-service (DoS) errors. Interestingly, 24 out of 26 security bypass errors are related to the Secure Boot function.
Microsoft's monthly security updates emphasize the importance of constant attention to software vulnerabilities, especially in the critical infrastructure and technologies that our daily lives depend on.
Although most of the identified vulnerabilities were quickly fixed, they demonstrate the vulnerability of our systems to inventive cybercriminals. All of this should encourage software manufacturers, security experts, and end users to take an even more vigilant and coordinated approach to cybersecurity.
