Security News ZDI: The March 2024 Security Update Review

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,363
It’s the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for March 2024

For March, Adobe released six patches addressing 56 vulnerabilities in Adobe Experience Manager, Premiere Pro, ColdFusion, Adobe Bridge, Lightroom, and Adobe Animate. Two of these bugs were submitted through the ZDI Program. The largest is the update for Experience Manager, which addresses 44 CVEs. However, all but two of these are simple cross-site scripting (XSS) bugs. The fix for Adobe Animate corrects four CVEs. Only one of these CVEs is rated Critical and could lead to arbitrary code execution if a user opens a specially crafted file on an affected system. The other three bugs are all memory leaks resulting from Out-of-Bounds (OOB) Read bugs. The patch for Premiere Pro fixes two Critical-rated bugs that also require user interaction to gain code execution.

For those still running ColdFusion, there’s a single Critical-rated arbitrary file system read bug getting fixed. Adobe also recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. The fix for Adobe Bridge addresses three Critical rated and one Important severity bug. The worst could lead to code execution when opening a specially crafted file. The final patch fixes a single code execution bug in Lightroom. Adobe also made the odd decision to stop tweeting when its patches become available and limiting communication to just email subscriptions. Let’s hope they reverse that decision as many people (myself included) rely on the twitter feed for notifications.

And with this release, anyone targeting Adobe Reader at next week’s Pwn2Own Vancouver event can breathe a sigh of relief. It seems your exploits won’t be patched before the event.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for March 2024

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; Skype; Microsoft Components for Android; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 64. One of these bugs was reported through the ZDI program.

Of the new patches released today, two are rated Critical, and 57 are rated Important in severity. This is a relatively low volume for March, especially considering this is the last patch cycle before the Pwn2Own contest next week. Vendors usually try to patch as much as possible knowing we update all targets to the latest release. Considering Microsoft has several targets in the contest, it’s interesting to see such a small release.

None of the CVEs released today are listed as publicly known or under active attack, but that could change. After the February release, Microsoft revised multiple updates to indicate they were being actively exploited. For now, nothing is listed as in the wild. I’ll update this blog should that change.
Looking Ahead

Be sure to look out for updates from Pwn2Own Vancouver, and if you’re at the CanSecWest conference, please stop by to say hello. I like it when people say hello. The next Patch Tuesday of 2024 will be on April 9, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,363
Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs
Today is Microsoft's March 2024 Patch Tuesday, and security updates have been released for 60 vulnerabilities, including eighteen remote code execution flaws.

This Patch Tuesday fixes only two critical vulnerabilities: Hyper-V remote code execution and denial of service flaws.

The number of bugs in each vulnerability category is listed below
  • 24 Elevation of Privilege Vulnerabilities
  • 3 Security Feature Bypass Vulnerabilities
  • 18 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 6 Denial of Service Vulnerabilities
  • 2 Spoofing Vulnerabilities
The total count of 60 flaws does not include 4 Microsoft Edge flaws fixed on March 7th.

Furthermore, Microsoft did not disclose any zero-days as part of today's Patch Tuesday updates.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5035853 update and the Windows 10 KB5035845 update.

Flaws of interest​

This month's Patch Tuesday does not fix any zero-day vulnerabilities but does include some interesting flaws, which we have listed below.

CVE-2024-26199 - Microsoft Office Elevation of Privilege Vulnerability

Microsoft has fixed a Office vulnerability allowing any authenticated user to gain SYSTEM privileges.

"Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges," explains Microsoft.

The flaw was discovered by Iván Almuiña from Hacking Corporation Sàrl.

CVE-2024-20671 - Microsoft Defender Security Feature Bypass Vulnerability

Microsoft has fixed a Microsoft Defender vulnerability that could

"An authenticated attacker who successfully exploited this vulnerability could prevent Microsoft Defender from starting," explains Microsoft.

However, this will be resolved by Windows Defender Antimalware Platform updates that are automatically installed on Windows devices.

This flaw is fixed in version 4.18.24010.12 of the Antimalware Platform.

Microsoft says that this flaw was discovered by Manuel Feifel with Infoguard (Vurex).

CVE-2024-21411 - Skype for Consumer Remote Code Execution Vulnerability

Microsoft has fixed a remote code execution vulnerability Skype for Consumer that can be triggered by a malicious link or image.

"An attacker could exploit the vulnerability by sending the user a malicious link or a malicious image via Instant Message and then convincing the user to click the link or image," explains Microsoft.

Microsoft says this flaw was discovered by Hector Peralta and Nicole Armua working with Trend Micro Zero Day Initiative.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top