CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Exploited Vulnerability in Partner Network Website

Microsoft informed customers that vulnerabilities affecting cloud, AI and other services have been patched, including an exploited flaw.

Microsoft patches exploited vulnerability

Microsoft informed customers on Tuesday that vulnerabilities affecting cloud, AI and other services have been patched, including a flaw that was exploited in attacks.

The tech giant has patched vulnerabilities in Azure, Copilot Studio, and its Partner Network website — one security hole in each — but customers do not need to take any action. CVE identifiers and advisories have been published for transparency only.

Microsoft published separate advisories for each vulnerability. They have all been described as privilege escalation issues that have a maximum severity rating of ‘critical’, but based on their CVSS score two of them have a ‘high severity’ rating and only one is actually ‘critical’.

In its Partner Network website, specifically the ‘partner.microsoft.com’ domain, Microsoft addressed CVE-2024-49035, a high-severity improper access control vulnerability that allowed an unauthenticated attacker to elevate privileges over a network.

The vulnerability has been marked as ‘exploited’ and Microsoft confirmed for SecurityWeek that exploitation was indeed detected, but would not share additional information.

“This CVE addresses a vulnerability in the Microsoft Power Apps online version only. As such, customers do not need to take any action because releases are rolled out automatically over several days,” Microsoft noted in its advisory.

Two Microsoft employees and one anonymous researcher have been credited for finding the vulnerability. 

There do not appear to be any public reports describing exploitation of the flaw and some members of the industry believed the issue may have been flagged as exploited by mistake, especially since the advisory initially had an exploitability assessment of ‘Exploitation Detected’, but the value of the ‘Exploited’ field was ‘No’. Microsoft corrected the ‘Exploited’ value to ‘Yes’ in the advisory after being contacted by SecurityWeek. 

Advertisement. Scroll to continue reading.

The partner.microsoft.com domain is listed as out of scope in Microsoft’s bug bounty programs

The critical-severity issue addressed this week is CVE-2024-49038, a cross-site scripting (XSS) vulnerability in Copilot Studio, a product that uses generative AI to enable customers to customize or create copilots. 

“Improper neutralization of input during web page generation (Cross-site Scripting) in Copilot Studio by an unauthorized attacker leads to elevation of privilege over a network,” Microsoft said in its advisory. 

The Azure vulnerability is CVE-2024-49052. It is a missing authentication issue affecting a critical function in Azure PolicyWatch, allowing an attacker to elevate privileges over a network.

Microsoft also announced patching an XSS vulnerability in Dynamics 365 Sales, a management solution for salespeople. The security hole allows an attacker to execute a malicious script in the victim’s browser by getting them to click on a specially crafted link.

The iOS and Android apps are impacted, but the vulnerability is in the web server. Users may need to update their applications as Microsoft has not specifically stated in its advisory that user interaction is not required.  

Microsoft announced earlier this year that it has decided to assign CVE identifiers even to cloud service vulnerabilities that do not require any action from users, for transparency. However, users can filter out these types of flaws in case they don’t want to waste any time or energy on them.

Google Cloud also announced recently that it has decided to assign CVE identifiers to critical vulnerabilities found in its products, even if they do not require the user to deploy patches or take other action.

Related: Microsoft Patches Vulnerabilities in Power Platform, Imagine Cup Site

Related: After CrowdStrike Outage, Microsoft Debuts ‘Quick Machine Recovery’ Tool

Related: Low-Code, High Risk: Millions of Records Exposed via Misconfigured Microsoft Power Pages

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.