Microsoft has recently released its monthly security update, also known as Patch Tuesday, which aims to address 61 vulnerabilities across various software suites for Windows. Two critical fixes related to Windows Hyper-V vulnerabilities have been rated as the most crucial. These vulnerabilities could lead to DoS (denial of service) incidents or remote code execution. They have been identified as CVE-2024-21407 and CVE-2024-21408.
In addition, the update addresses 58 other critical issues and one low-severity issue. Among these fixes, 17 vulnerabilities have been resolved for the Chrome-based Microsoft Edge browser since the last Patch Tuesday monthly update in February 2024. Some of the critical vulnerabilities included in this update are CVE-2024-21400 (CVSS score of 9), CVE-2024-26170 (CVSS score of 7.8), and CVE-2024-21390 (CVSS score of 7.1).
While threat actors need a local presence on the user’s network, they can quickly gain access through malware or by installing malicious applications. Exploiting these vulnerabilities could allow an attacker to access the multi-factor authentication code for the victim’s account, modify or delete the account in the Authenticator authentication application, and cause a great deal of harm.
According to Satnam Narang, Senior Research Engineer at Tenable, these vulnerabilities significantly threaten user privacy and data security. Attackers can track keystrokes, steal data, and redirect users to malicious websites. A new vulnerability that allows attackers to access and steal multi-factor authentication codes can be used to log into sensitive accounts, steal data, take over accounts, and lock users out of their accounts.
Another vulnerability that needs attention is an escalation of privilege in Print Spooler (CVE-2024-21433 with a CVSS score of 7), which would grant an attacker system access and privileges.
Therefore, it is highly recommended that all Windows users update their systems immediately to protect their networks and systems from these vulnerabilities.