Microsoft on Tuesday rolled out patches for at least 60 security vulnerabilities haunting the Windows ecosystem and warned there is exposure to remote code execution attacks.
The world’s largest software maker tagged two HyperV vulnerabilities — CVE-2024-21407 and CVE-2024-21408 with its highest critical-severity rating and urged users to prioritize these fixes to reduce exposure to code execution and denial-of-service attacks.
“This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server,” Redmond warned HyperV users.
The company said successful exploitation requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment.
Microsoft also flagged a serious flaw in Open Management Infrastructure (OMI) for urgent attention, noting that the CVE-2024-21334 bug carries a CVSS severity score of 9.8 out of 10.
This month’s updates also provide cover for code execution issues in the oft-targeted Microsoft Exchange Server and a Microsoft Azure Kubernetes bug that opens the door for attackers to steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC).
“An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to,” the company added.
According to Microsoft, none of the documented issues have been publicly discussed or under active attack.
The Microsoft patches come on the same day software maker Adobe released a hefty batch of security updates to fix critical-severity vulnerabilities in multiple enterprise-facing products.
The Adobe rollout contains fixes for code execution flaws in the oft-targeted Adobe ColdFusion, Adobe Premiere Pro, Adobe Bridge and Adobe Lightroom.
Like Microsoft, Adobe said it was not aware of any exploits in the wild for any of the issues addressed this month.
Related: Adobe Patches Critical Flaws in Enterprise Products
Related: Google Paid Out $10 Million via Bug Bounty Programs in 2023
Related: Cisco Patches High-Severity Vulnerabilities in VPN Product
Related: Microsoft Says Russians Stole Source Code After Spying on Emails
