[German]On March 12, 2024, Microsoft released security updates for Windows clients and servers, for Office – and for other products. The security updates eliminate 73 vulnerabilities (CVEs), two of which are 0-day vulnerabilities that are already being exploited. Below is a compact overview of the updates that were released on Patchday.
Advertising
Notes on the updates
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.
Windows Server 2012 R2
Windows Server 2012 /R2 will receive regular security updates until October 2023. After this date, an ESU license will be required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).
Fixed vulnerabilities
Tenable has this blog post with an overview of the 52 vulnerabilities that have been fixed (no 0-day this time). Here are some of the critical vulnerabilities that have been fixed:
- CVE-2024-21334: Open Management Infrastructure (OMI) Remote Code Execution vulnerability, CVEv3 Score 9.8, important; To exploit this vulnerability, a remote, unauthenticated attacker could use a specially crafted request to trigger a use-after-free vulnerability. In addition, OMI received another patch this month (CVE-2024-21330) that fixes an EoP vulnerability.
- CVE-2024-21407: Windows Hyper-V Remote Code Execution vulnerability, CVEv3 Score 8.1, critical; To successfully exploit this vulnerability, an attacker must be authenticated and gather information about the target environment to plan their attack. The complexity of the attack is high, but exploitation could lead to code execution on the host server.
- CVE-2024-21433: Windows Print Spooler Elevation of Privilege vulnerability, CVEv3 Score 7.0, important; This vulnerability is classified as "Exploitation More Likely" and has been assigned a CVSSv3 score of 7.0. Exploitation of this vulnerability would require an attacker to gain a race condition that could grant the attacker SYSTEM privileges.
- CVE-2024-21433: Windows Print Spooler Elevation of Privilege vulnerability, CVEv3 Score 7.0, important; This vulnerability is classified as "Exploitation More Likely" and has been assigned a CVSSv3 score of 7.0. Exploitation of this vulnerability would require an attacker to gain a race condition that could grant the attacker SYSTEM privileges.
- CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178, CVE-2024-26182: Windows Kernel Elevation of Privilege vulnerability, CVEv3 Score 7.8 (CVE-2024-21443 with CVEv3 7.3), important; CVE-2024-26182 is the only Windows Kernel EoP vulnerability that has been classified as "Exploitation More Likely". Successful exploitation of these vulnerabilities could lead to an attacker gaining SYSTEM privileges.
- CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161, CVE-2024-26166: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution vulnerability, CVEv3 Score 8.8, important; To successfully exploit the vulnerability, an authenticated user must be tricked into connecting to a malicious SQL database. Once a connection is established, specially crafted responses can be sent to the client to exploit the vulnerability and allow the execution of arbitrary code.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
- .NET
- Azure Data Studio
- Azure SDK
- Microsoft Authenticator
- Microsoft Azure Kubernetes Service
- Microsoft Dynamics
- Microsoft Edge for Android
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Intune
- Microsoft Office
- Microsoft Office SharePoint
- Microsoft QUIC
- Microsoft Teams for Android
- Microsoft WDAC ODBC Driver
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows SCSI Class System File
- Open Management Infrastructure
- Outlook for Android
- Role: Windows Hyper-V
- Skype for Consumer
- Software for Open Networking in the Cloud (SONiC)
- SQL Server
- Visual Studio Code
- Windows AllJoyn API
- Windows Cloud Files Mini Filter Driver
- Windows Composite Image File System
- Windows Compressed Folder
- Windows Defender
- Windows Error Reporting
- Windows Hypervisor-Protected Code Integrity
- Windows Installer
- Windows Kerberos
- Windows Kernel
- Windows NTFS
- Windows ODBC Driver
- Windows OLE
- Windows Print Spooler Components
- Windows Standards-Based Storage Management Service
- Windows Telephony Server
- Windows Update Stack
- Windows USB Hub Driver
- Windows USB Print Driver
- Windows USB Serial Driver
Similar articles:
Office Updates March 5, 2024
Microsoft Security Update Summary (March 12, 2024)
Patchday: Windows 10-Updates (March 12, 2024)
Patchday: Windows 11/Server 2022-Updates (March 12, 2024)
Windows Server 2012 / R2 and Windows 7 (March 12, 2024)
Microsoft Office Updates (March 12, 2024)
Windows 10/Server 2019: Update KB5035849 fails with error 0xd0000034
Advertising
Advertising