TechMicrosoft releases crucial security updates, focusing on .NET framework glitches and Hyper-V flaws

Microsoft releases crucial security updates, focusing on .NET framework glitches and Hyper-V flaws

A vulnerability linked to various versions of Visual Studio, .NET Framework, and the new versions of .NET 6, 7, and 8 can be found at CVE-2024-0057. This glitch can cause the certificate handling stack to incorrectly report the trust chain by applying a complicated set of erroneous X.509 requests. Exploiting this vulnerability is challenging, with Microsoft reporting that it isn't being exploited. Another .NET problem relates to SQL Server (ODBC driver) support; although significant, this isn't a consumer scenario.

The new Operating System Microsoft Windows 11 is available in France since October 5 , 2021 (Photo by Daniel Pier/NurPhoto via Getty Images)
The new Operating System Microsoft Windows 11 is available in France since October 5 , 2021 (Photo by Daniel Pier/NurPhoto via Getty Images)
Images source: © GETTY | NurPhoto

4:24 AM EST, January 10, 2024

Errors with Windows itself have also been rectified. The list begins with a faulty operation of Kerberos (CVE-2024-20674) and includes problem areas with Win32k (CVE-2024-20683) and the Internet Explorer engine (CVE-2024-20652). An ongoing process of identifying vulnerabilities in MSMQ is also taking place. The most technically captivating vulnerabilities are those with a lower price point (below CVSS 6) but concerning critical mechanisms.

Hyper-V

An example includes Hyper-V and virtualization. The vulnerabilities corrected in the January Hyper-V patch package are undisclosed flaws in the handling of virtual disks (CVE-2024-20658), as well as issues relating to denial of service (CVE-2024-20699), and privilege escalation and remote code execution from a virtual machine (CVE-2024-20700).

Another intriguing case involves the WSL and a vulnerability that allows a user to gain SYSTEM user privileges. The attack vector is local, which results in a CVSS rating of 7.8. However, it's worth noting that the WSL component is disabled by default.

libarchive

No sooner than integrating RAR support with Windows, it will already require patching and fixing. Two vulnerabilities in libarchive (CVE-2024-20696) allow code execution during the archive's decompression. Despite the local attack vector, Microsoft describes such an issue as "remote code execution" (RCE) due to the necessity for the malicious archive to come from an external source. The CVSS Framework does not account for such circumstances. Therefore, this vulnerability is described as local.

HVCI

The CVE-2024-21305 vulnerability bypasses the virtualization-based code integrity control (HVCI). This issue is somewhat theoretical as it requires running code as an administrator and exploits a glitch in a signed driver to gain access to the HVCI-protected area.

Contrarily, the BitLocker vulnerability is less theoretical. Physical access to the device allows BitLocker to be bypassed by exploiting the Windows recovery environment (WinRE). The WinRE WIM image has been unable to update automatically for many years. This has now changed, but only for the latest versions of Windows 10, 11, and Server 2022. Owing to numerous issues with BitLocker and UEFI, using the PIN+TPM combination in BitLocker is recommended.

The patch for Windows 11 is approximately 0.62 GB, while for Windows 10 it's slightly larger at 0.78 GB. For Windows Server 2008, in its final update, the download size is 0.22 GB. All updates are available in Windows Update.

Related content
© essanews.com
·

Downloading, reproduction, storage, or any other use of content available on this website—regardless of its nature and form of expression (in particular, but not limited to verbal, verbal-musical, musical, audiovisual, audio, textual, graphic, and the data and information contained therein, databases and the data contained therein) and its form (e.g., literary, journalistic, scientific, cartographic, computer programs, visual arts, photographic)—requires prior and explicit consent from Wirtualna Polska Media Spółka Akcyjna, headquartered in Warsaw, the owner of this website, regardless of the method of exploration and the technique used (manual or automated, including the use of machine learning or artificial intelligence programs). The above restriction does not apply solely to facilitate their search by internet search engines and uses within contractual relations or permitted use as specified by applicable law.Detailed information regarding this notice can be found  here.