Software giant Microsoft on Tuesday released a massive batch of security patches with cover for at least 150 vulnerabilities and called urgent attention to a gaping hole that lets inauthentic hackers take full control of Azure Kubernetes clusters.
The vulnerability, tracked as CVE-2024-29990, allows an unauthenticated hacker to steal credentials and affects resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC), Redmond said in an advisory.
Redmond’s security response team said the Azure Kubernetes Service bug carries a CVSS severity score of 9/10 and could be exploited to take over confidential guests and containers beyond the network stack it might be bound to.
“An unauthenticated attacker can move the same workload onto a machine they control, where the attacker is root,” Microsoft warned.
The Azure Kubernetes Service bug headlines a massive patch bundle that includes fixes for a trio of remote code execution bugs in Microsoft Defender for IOT and a critical-severity Windows Secure Boot bypass that’s marked as already exploited.
The embattled company documented dozens of remote code execution issues affecting Windows OS and software components, the Microsoft Office productivity suite, Microsoft SQL Server, DNS Server, Visual Studio and Bitlocker.
According to ZDI, a company that tracks the release of software patches, this is the largest release from Microsoft since at least 2017 and does not include fixes for bugs exploited at this year’s Pwn2Own hacker contest.
Microsoft is facing intense criticism for its security practices with a recent US government report documenting shoddy cybersecurity practices, lax corporate culture and untruthfulness in public communications.
In its review of the Microsoft Exchange Online hack, the government’s Cyber Safety Review Board (CSRB) called out “a cascade of Microsoft’s avoidable errors” that allowed Chinese hackers to break into its cloud service and steal sensitive data.
The CSRB, which styles itself as an independent investigative agency similar to the NTSB, said it found “a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
Related: Microsoft’s Security Chickens Have Come Home to Roost
Related: US Gov Rips Microsoft for Shoddy Security, Poor Response to Chinese Hack
Related: Patch Tuesday: Code Execution Flaws in Multiple Adobe Software Products
Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails
