Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Vulnerabilities in Windows Defender, Update Catalog 

Microsoft has patched potentially critical vulnerabilities in Update Catalog and Windows Defender on the server side. 

Microsoft on Thursday informed customers that two potentially critical vulnerabilities have been patched in Update Catalog and Windows Defender.

The tech giant has released advisories for each flaw and assigned CVE identifiers, but it’s only for transparency purposes as the issues have been fully mitigated and users do not need to take any action. 

The Windows Defender vulnerability, tracked as CVE-2024-49071, has a maximum severity rating of ‘critical’, but based on its CVSS score it’s a medium-severity issue. It could have led to information disclosure, specifically the exposure of file content.

“Improper authorization of an index that contains sensitive information from a Global Files search in Windows Defender allows an authorized attacker to disclose information over a network,” Microsoft explained. 

The vulnerability in Update Catalog, which provides a listing of updates that can be distributed over a corporate network, was a privilege escalation issue that had critical severity based on its CVSS score. The flaw is tracked as CVE-2024-49147.

“Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver,” Microsoft said in its advisory.

The company’s advisories indicate that the details of these flaws have not been disclosed and there is no indication of malicious exploitation prior to the implementation of patches.

Microsoft is now regularly informing customers about vulnerabilities patched on the server side that do not require any user action. The company has decided to assign CVE identifiers to cloud service vulnerabilities for transparency. 

Advertisement. Scroll to continue reading.

While these vulnerabilities may not seem important, the company admitted in such an advisory last month that CVE-2024-49035, a high-severity vulnerability in its Partner Network website, was exploited in attacks before it was patched. 

Google Cloud also decided recently to assign CVE identifiers to critical vulnerabilities found in its products, even if they do not require user action.    

Related: Microsoft Patches Vulnerabilities in Power Platform, Imagine Cup Site

Related: Microsoft Ships Urgent Patch for Exploited Windows CLFS Zero-Day

Related: Microsoft MFA Bypassed via AuthQuake Attack

Related: Microsoft Bets $10,000 on Prompt Injection Protections of LLM Email Client

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.