As a part of the Microsoft security update, the tech giant had released several fixes to address 90 critical security flaws. Reports claim that 10 of them have zero day vulnerabilities and 6 out of these 10 have fallen prey to threat actor attempts for exploitation. In this article, we’ll cover these fixes and the vulnerabilities and look at what cybersecurity experts have to say. Let’s begin!

Security Flaws And Vulnerabilities

As per recent reports the Microsoft security update contains fixes for 90 flaws. Out of the 90, nine have a critical severity score, eighty are rated as important, and just one is categorized as moderate.

It’s worth mentioning here that these flaws are not related to the 36 edge browser vulnerabilities that were resolved last month. The most recent Microsoft security update addresses six zero-day vulnerabilities.

The vulnerabilities, along with their critical vulnerability severity score (CVSS) and the details, are mentioned below:

Microsoft Security Update And CISA’s KEV

Although the Microsoft security update has addressed certain vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four flaws to its Known Exploited Vulnerability (KEV) catalog. The flaws that are now publicly known include:

• CVE-2024-38200 – Microsoft Office Spoofing Vulnerability.
• CVE-2024-38199 – Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability.
• CVE-2024-21302 – Windows Secure Kernel Mode Elevation of Privilege Vulnerability.
• CVE-2024-38202 – Windows Update Stack Elevation of Privilege Vulnerability.

Providing insights pertaining to CVE-2024-38200, a flaw with a CVSS of 7.5, a researcher engineer at Tenable has stated that:

“An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email. Successful exploitation of the vulnerability could result in the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to further an attacker’s foothold into an organization.”

Although the Microsoft security update has addressed 90 critical flaws, two remain unpatched. These vulnerabilities include CVE-2024-38202 and CVE-2024-21302. Reports claim that if these vulnerabilities are exploited, they could allow threat actors to stage downgrade attacks.

It’s worth mentioning here that such attacks would be against the Windows update architecture. In addition, they could also replace the current operating system files with older versions.

Conclusion

Microsoft’s latest security update addresses 90 critical vulnerabilities, including six actively exploited zero-days. While many flaws have been patched, two remain unaddressed, posing potential risks. It’s crucial for organizations to apply these updates promptly to safeguard against emerging threats and maintain robust cybersecurity defenses.

In addition to applying patches, organizations must implement proactive protection mechanisms to lower risk exposure and ensure protection.

The sources for this piece include articles in The Hacker News and DARKREADING.

The post Microsoft Security Update: 90 Critical Vulnerabilities Fixed appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/microsoft-security-update-90-critical-vulnerabilities-fixed/