December 13, 2024 at 06:40AM
Microsoft has patched two critical vulnerabilities: one in Windows Defender (CVE-2024-49071) related to information disclosure, and another in the Update Catalog (CVE-2024-49147) involving privilege escalation. These issues have been fully mitigated, requiring no action from users. Transparency remains a priority for Microsoft with CVE identifiers.
**Meeting Takeaways: Microsoft Vulnerabilities Update**
1. **Vulnerabilities Patched**: Microsoft has patched two critical vulnerabilities in the Update Catalog and Windows Defender, announced on Thursday.
2. **Transparency with CVE Identifiers**:
– Both vulnerabilities have been assigned CVE identifiers for transparency purposes.
– Users do not need to take any action as the issues are fully mitigated.
3. **Details on Specific Vulnerabilities**:
– **Windows Defender (CVE-2024-49071)**:
– Rated as ‘critical’ but classified as medium-severity based on its CVSS score.
– Potential for information disclosure due to improper authorization in accessed sensitive information.
– **Update Catalog (CVE-2024-49147)**:
– Identified as a privilege escalation issue with critical severity based on its CVSS score.
– Allowed unauthorized attackers to elevate privileges through deserialization of untrusted data.
4. **Exploitation Status**: Microsoft confirmed there was no known malicious exploitation of these vulnerabilities prior to the patches, and details of the flaws have not been disclosed.
5. **Standard Practice**: Microsoft is now routinely informing customers about server-side vulnerabilities that do not require user action and is assigning CVE identifiers for cloud service vulnerabilities.
6. **Historical Context**: A recent advisory highlighted a previously exploited vulnerability (CVE-2024-49035) in the Partner Network before it was patched, underscoring the importance of timely updates.
7. **Industry Trends**: Google Cloud has also begun assigning CVE identifiers for critical vulnerabilities in its products, regardless of user action requirements.
8. **Related Updates**: Other recent Microsoft security updates were noted, including patches for the Power Platform and urgent updates for vulnerabilities like Windows CLFS zero-day and MFA bypass issues.
These points provide a summary of the current status of Microsoft’s security patches and their approach toward vulnerability transparency and customer notification.