Microsoft on Thursday informed customers that two potentially critical vulnerabilities have been patched in Update Catalog and Windows Defender.
The tech giant has released advisories for each flaw and assigned CVE identifiers, but it’s only for transparency purposes as the issues have been fully mitigated and users do not need to take any action.
The Windows Defender vulnerability, tracked as CVE-2024-49071, has a maximum severity rating of ‘critical’, but based on its CVSS score it’s a medium-severity issue. It could have led to information disclosure, specifically the exposure of file content.
“Improper authorization of an index that contains sensitive information from a Global Files search in Windows Defender allows an authorized attacker to disclose information over a network,” Microsoft explained.
The vulnerability in Update Catalog, which provides a listing of updates that can be distributed over a corporate network, was a privilege escalation issue that had critical severity based on its CVSS score. The flaw is tracked as CVE-2024-49147.
“Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver,” Microsoft said in its advisory.
The company’s advisories indicate that the details of these flaws have not been disclosed and there is no indication of malicious exploitation prior to the implementation of patches.
Microsoft is now regularly informing customers about vulnerabilities patched on the server side that do not require any user action. The company has decided to assign CVE identifiers to cloud service vulnerabilities for transparency.
While these vulnerabilities may not seem important, the company admitted in such an advisory last month that CVE-2024-49035, a high-severity vulnerability in its Partner Network website, was exploited in attacks before it was patched.
Google Cloud also decided recently to assign CVE identifiers to critical vulnerabilities found in its products, even if they do not require user action.
Related: Microsoft Patches Vulnerabilities in Power Platform, Imagine Cup Site
Related: Microsoft Ships Urgent Patch for Exploited Windows CLFS Zero-Day
Related: Microsoft MFA Bypassed via AuthQuake Attack
Related: Microsoft Bets $10,000 on Prompt Injection Protections of LLM Email Client
