59 CVEs primed for Microsoft’s March Patch Tuesday

On Tuesday Microsoft released 59 CVEs, including 41 for Windows. A remarkable 20 other product groups or tools are also affected. Of the CVEs addressed, just two are considered Critical in severity by Microsoft, both in Windows (specifically, in Hyper-V).

At patch time, none of the issues has been publicly disclosed, or is known to be under active exploit in the wild. Six of the important-severity vulnerabilities in Windows are by the company’s estimation more likely to be exploited in the next 30 days. Five of the issues addressed are amenable to detection by Sophos protections, and we include information on those in a table below.

In addition to these patches the release included advisory information on four patches related to the Edge browser; three of those CVEs were assigned by the Chrome team, not Microsoft. (More on Microsoft’s Edge patch, CVE-2024-26167, in a minute.) There is also one Important-severity issue, CVE-2023-28746, for which advisory information is given this month.

We don’t include advisories in the CVE counts and graphics below, but we provide information on all of them in an appendix at the end of the article. We are as usual including at the end of this post three other appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the Numbers

• Total Microsoft CVEs (excluding Edge): 59
• Total Edge / Chrome issues covered in update: 4
• Total non-Microsoft CVEs covered in update: 1
• Publicly disclosed: 0
• Exploited: 0
• Severity
  • Critical: 2
  • Important: 57
• • Elevation of Privilege: 25
  • Remote Code Execution: 18
  • Denial of Service: 6
  • Information Disclosure: 5
  • Security Feature Bypass: 2
  • Spoofing: 2
  • Tampering: 1

Figure 1: And just like that, 2024 ties 2023’s entire output of tampering CVEs… at one. More on CVE-2024-26185 in a minute

Products

• Windows: 41 (including one shared with .NET and Visual Studio)
• Azure: 4 (including one shared with Log Analytics Agent, OMI, OMS, and SCOM)
• Visual Studio: 3 (including one shared with .NET and one shared with .NET and Windows)
• .NET: 2 (including one shared with Visual Studio and one shared with Visual Studio and Windows)
• OMI (Open Management Infrastructure): 2 (including one shared with Azure, Log Analytics Agent, OMS, and SCOM; and one shared with SCOM)
• SCOM (System Center Operations Manager): 2 (including one shared with Azure, Log Analytics Agent, OMI, and OMS; and one shared with OMI
• Authenticator: 1
• Defender: 1
• Dynamics 365: 1
• Exchange: 1
• Intune: 1
• Log Analytics Agent: 1 (shared with Azure, OMI, OMS, and SCOM)
• Office (365 on-premises): 1
• OMS (Operations Management Suite Agent for Linux): 1 (shared with Azure, OMI, and SCOM)
• Outlook: 1
• SharePoint: 1
• Skype: 1
• SONiC (Software for Open Networking in the Cloud): 1
• SQL: 1
• Teams: 1

Figure 2: There’s something for everyone, as twenty tools or product groups are touched by the March Patch Tuesday angel

Notable March updates

In addition to the issues discussed above, a few specific items merit attention.

CVE-2024-26185

Windows Compressed Folder Tampering Vulnerability

One of the six issues Microsoft believes more likely to be exploited in the next 30 days, this vulnerability affects the ubiquitous 7zip. Minimal user interaction is required, most likely via email (in which the attacker sends a specially crafted file and convinces the user to open it) or via the web. This patch applies only to Win11 22H2 and Win11 23H2.

CVE-2024-21334

Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

Sporting the month’s highest CVSS score (9.8 base) and yet not likely to be exploited in the next 30 days as judged by Microsoft, this RCE applies to not just OMI but to SCOM (System Center Operations Manager) 2019 and 2022 as well. If exploited, a unauthenticated remote attacker could access the OMI instance via the internet and send specially crafted requests to trigger a use-after-free vulnerability. (If patching’s not an immediate option, Linux machines that don’t need network listening can disable their incoming OMI ports by way of mitigation.)

CVE-2024-21421

Azure SDK Spoofing Vulnerability

Check the date of your last deployment: Was it prior to October 19, 2023? If so, you’ll need to manually update to Azure Core Build 1.29.5 or higher. (For convenience, Azure SDK’s GitHub is available here.) Those with deployments after that date already received the fix automatically.

CVE-2024-21448

Microsoft Teams for Android Information Disclosure

There are a number of Android-related patches this month – Intune, Outlook, the Edge patch we’ll discuss below – but only this one, an important-severity Teams issue, will require a trip to the Play Store. Exploitation would allow the attacker to read files from the private directory of the application.

CVE-2024-26167

Microsoft Edge for Android Spoofing Vulnerability

As an Edge vulnerability, this one arrives with scant information from Microsoft, which in the post-IE era mainly takes its browser updates outside the Patch Tuesday cycle. As an Android vulnerability, it may well be that Android users will take this update from other sources. What’s clear from Microsoft is that whatever it is and whoever’s patching it, the patch is not yet available, and that those concerned should keep an eye on the publicly posted CVE information for updates. Fortunately, with a 4.3 CVSS base score, this mystery may well be a tempest in a teapot.

Figure 3: March continues the trend so far in 2024 of lighter-than-usual patch loads. So far in 2024 there have been 179 patches released in the normal second-Tuesday cadence, compared with 246 in 2023, 225 in 2022, 228 in 2021, and 266 in 2020

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of March patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (25 CVEs)

Remote Code Execution (18 CVEs)

Denial of Service (6 CVEs)

information Disclosure (5 CVEs)

Security Feature Bypass (2 CVEs)

Spoofing (2 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability

This is a list of the March CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

Appendix C: Products Affected

This is a list of March’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.

Windows (41 CVEs)

Azure (4 CVEs)

Visual Studio (3 CVEs)

.NET (2 CVEs)

OMI (2 CVEs)

SCOM (2 CVEs)

Authenticator (1 CVE)

Defender (1 CVE)

Dynamics 365 (1 CVE)

Exchange (1 CVE)

Intune (1 CVE)

Law Analytics Agent (1 CVE)

Office (1 CVE)

OMS (1 CVE)

Outlook (1 CVE)

SharePoint (1 CVE)

Skype (1 CVE)

SONiC (1 CVE)

SQL (1 CVE)

Teams for Android (1 CVE)

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the March Microsoft release, sorted by product.

Relevant to Edge / Chromium (4 CVEs)

Relevant to Windows (non-Microsoft release) (one CVE)