November 29, 2024 at 05:33AM
Microsoft addressed four security vulnerabilities in its AI and cloud offerings, including a critical privilege escalation flaw (CVE-2024-49035) exploited in the wild. Other flaws include XSS and authentication issues in various products. While most have been mitigated, users are advised to update Dynamics 365 Sales apps for security.
### Meeting Takeaways – November 29, 2024
**Topic:** AI Security / Cloud Security
1. **Addressed Vulnerabilities:** Microsoft has resolved four key security vulnerabilities affecting its AI, cloud, ERP, and Partner Center platforms.
2. **Critical Vulnerability:**
– **CVE-2024-49035 (CVSS Score: 8.7)**: A privilege escalation flaw in partner.microsoft.com. It has been publicly exploited, allowing unauthenticated attackers to elevate their privileges over a network.
3. **Researcher Acknowledgment:** Microsoft credited Gautam Peri, Apoorv Wadhwa, and an anonymous researcher for identifying the vulnerabilities.
4. **Additional Vulnerabilities:**
– **CVE-2024-49038 (CVSS Score: 9.3)**: Cross-site scripting vulnerability in Copilot Studio.
– **CVE-2024-49052 (CVSS Score: 8.2)**: Missing authentication in Microsoft Azure PolicyWatch.
– **CVE-2024-49053 (CVSS Score: 7.6)**: Spoofing vulnerability in Microsoft Dynamics 365 Sales.
5. **Mitigation and Updates:**
– Most vulnerabilities have been mitigated automatically through Microsoft Power Apps updates.
– Users of Dynamics 365 Sales apps for Android and iOS should update to version 3.24104.15 to address CVE-2024-49053.
6. **No User Action Required:** For most vulnerabilities, users do not need to take action except for the specific update related to Dynamics 365 Sales.
**Next Steps:**
– Ensure the latest version of Dynamics 365 Sales is installed.
– Stay informed on further updates by following Microsoft on Twitter and LinkedIn.