November 28, 2024 at 06:07AM
Microsoft has patched vulnerabilities in several services, including Azure and Copilot Studio, with one flaw described as ‘exploited.’ The vulnerabilities, mostly related to privilege escalation, have been assigned CVE identifiers for transparency. Users don’t need to take action, as patching occurs automatically over several days.
### Meeting Takeaways on Microsoft Vulnerabilities
1. **Vulnerability Patches Announced**: Microsoft has patched vulnerabilities in several products including Azure, Copilot Studio, and Partner Network. No action is required from customers.
2. **CVE Identifiers and Severity Ratings**:
– Three vulnerabilities have been identified:
– **Azure (CVE-2024-49052)**: Missing authentication issue in Azure PolicyWatch (critical).
– **Copilot Studio (CVE-2024-49038)**: XSS vulnerability enabling unauthorized privilege escalation (critical).
– **Partner Network (CVE-2024-49035)**: Improper access control vulnerability allowing unauthorized privilege elevation (high severity).
3. **Exploitation Confirmed**: The Partner Network vulnerability has been marked as ‘exploited’ and confirmed by Microsoft, although there is limited public information available regarding this exploitation.
4. **Vulnerability Details**:
– **CVE-2024-49038 (Copilot Studio)**: Exploitable via improper input neutralization during web page generation.
– **CVE-2024-49052 (Azure)**: Allows privilege escalation due to missing authentication.
– **Dynamics 365 Sales**: Additional XSS vulnerability impacts web server; users may need to update mobile apps but this isn’t explicitly stated.
5. **Transparency Initiative**: Microsoft is assigning CVE identifiers to cloud service vulnerabilities for transparency, even when customer action is not required. Users can filter these in future advisories.
6. **Industry Trend**: Google Cloud has also adopted a similar approach to assigning CVE identifiers for critical vulnerabilities in its services.
7. **Bug Bounty Program**: The partner.microsoft.com domain is currently out of scope for Microsoft’s bug bounty programs.
This summary captures key points regarding the vulnerabilities and Microsoft’s actions for transparency and customer protection.