Microsoft patches some critical gaps out of turn
Microsoft has closed security leaks in several products. Users must install some updates.
Updates are available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Microsoft published four security bulletins on Wednesday night. Some of them address critical vulnerabilities for which Microsoft's developers are providing updates. Some have to be installed by users themselves, others have already been distributed by Microsoft on cloud services.
One critical vulnerability affects Microsoft's Copilot Studio. It allowed attackers to extend their rights (CVE-2024-49038, CVSS 9.3, risk"critical"). The cause is inadequate filtering of user input during website creation; Microsoft classifies the vulnerability as cross-site scripting. This allows unauthorized attackers from the network to extend their rights. Customers do not need to take any action to correct the problem.
One vulnerability has already been abused
A vulnerability in the "partner.microsoft.com" offering has already been abused, Microsoft explains in the vulnerability entry. Attackers from the network can increase their rights without prior authentication, as access rights have not been implemented correctly (CVE-2024-49035, CVSS 8.7, high). Specifically, the problem occurred in the online version of Microsoft Power Apps. In contrast to the CVSS classification, however, Microsoft classifies the vulnerability as critical. Here too, customers do not need to do anything further, Microsoft has solved the problem on the server side.
Videos by heise
In Microsoft Azure PolicyWatch, attackers were able to elevate their rights from the network without authorization, as an unspecified critical function simply lacked authentication (CVE-2024-49052, CVSS 8.2, high). Microsoft's developers also classify the risk as critical in this case. At least customers do not have to do anything else, the corrections are made on the server side by Microsoft.
The fourth vulnerability affects Microsoft's Dynamics 365 Sales business software. Attackers can abuse a spoofing vulnerability in it. The FAQ in Microsoft's security announcement explains that authenticated attackers can foist manipulated links on victims in order to redirect them to malicious websites, for example. The vulnerability is on the web server, but malicious scripts run in the victim's browser, on their machine –. The summary therefore also states that insufficient filtering of user input during website creation can be abused for cross-site scripting (CVE-2024-49053, CVSS 7.6, high). The apps Dynamics 365 Sales for iOS and Dynamics 365 Sales for Android are no longer vulnerable as of version 3.24104.15; users should check the stores of the respective smartphone operating systems for updates if necessary.
The regular patch day took place on the night of November 13, the upcoming one on the night of December 11. Microsoft has apparently classified the security updates as so urgent that the company has now applied and released them outside of the regular schedule.
(dmk)
