Microsoft releases crucial security updates, focusing on .NET framework glitches and Hyper-V flaws

A vulnerability linked to various versions of Visual Studio, .NET Framework, and the new versions of .NET 6, 7, and 8 can be found at CVE-2024-0057. This glitch can cause the certificate handling stack to incorrectly report the trust chain by applying a complicated set of erroneous X.509 requests. Exploiting this vulnerability is challenging, with Microsoft reporting that it isn't being exploited. Another .NET problem relates to SQL Server (ODBC driver) support; although significant, this isn't a consumer scenario.

Errors with Windows itself have also been rectified. The list begins with a faulty operation of Kerberos (CVE-2024-20674) and includes problem areas with Win32k (CVE-2024-20683) and the Internet Explorer engine (CVE-2024-20652). An ongoing process of identifying vulnerabilities in MSMQ is also taking place. The most technically captivating vulnerabilities are those with a lower price point (below CVSS 6) but concerning critical mechanisms.

An example includes Hyper-V and virtualization. The vulnerabilities corrected in the January Hyper-V patch package are undisclosed flaws in the handling of virtual disks (CVE-2024-20658), as well as issues relating to denial of service (CVE-2024-20699), and privilege escalation and remote code execution from a virtual machine (CVE-2024-20700).

Another intriguing case involves the WSL and a vulnerability that allows a user to gain SYSTEM user privileges. The attack vector is local, which results in a CVSS rating of 7.8. However, it's worth noting that the WSL component is disabled by default.

No sooner than integrating RAR support with Windows, it will already require patching and fixing. Two vulnerabilities in libarchive (CVE-2024-20696) allow code execution during the archive's decompression. Despite the local attack vector, Microsoft describes such an issue as "remote code execution" (RCE) due to the necessity for the malicious archive to come from an external source. The CVSS Framework does not account for such circumstances. Therefore, this vulnerability is described as local.

The CVE-2024-21305 vulnerability bypasses the virtualization-based code integrity control (HVCI). This issue is somewhat theoretical as it requires running code as an administrator and exploits a glitch in a signed driver to gain access to the HVCI-protected area.

Contrarily, the BitLocker vulnerability is less theoretical. Physical access to the device allows BitLocker to be bypassed by exploiting the Windows recovery environment (WinRE). The WinRE WIM image has been unable to update automatically for many years. This has now changed, but only for the latest versions of Windows 10, 11, and Server 2022. Owing to numerous issues with BitLocker and UEFI, using the PIN+TPM combination in BitLocker is recommended.

The patch for Windows 11 is approximately 0.62 GB, while for Windows 10 it's slightly larger at 0.78 GB. For Windows Server 2008, in its final update, the download size is 0.22 GB. All updates are available in Windows Update.