Seattle, WA – Microsoft released a record number of patches this month, aiming to address 147 security flaws in various software, including Windows, Office, Azure, and .NET Framework. This marks the largest release from Microsoft this year, with Trend Micro’s Zero Day Initiative noting that it is also the largest since at least 2017.
While the sheer volume of patches may seem overwhelming, many of the vulnerabilities are not rated as critical by Microsoft. Only three vulnerabilities were classified as critical, meaning they could potentially allow malware or attackers to take control of unpatched systems without user intervention.
One of the highlighted vulnerabilities is CVE-2024-20670, a spoofing vulnerability in Outlook for Windows that is described as easy to exploit. This flaw involves convincing a user to click on a malicious link in an email, allowing the attacker to steal the user’s password hash and authenticate as the user in another Microsoft service.
Another noteworthy bug is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure. This vulnerability could be exploited by taking advantage of Azure AI search, highlighting a potential new attack surface that security experts are actively working to mitigate.
Additionally, CVE-2024-29988 allows attackers to bypass Windows SmartScreen, a technology designed to protect users against phishing and malware attacks. This vulnerability is particularly concerning as it has been found to be exploited in the wild, emphasizing the importance of prompt patching and vigilance.
Furthermore, this month’s release includes fixes for two dozen vulnerabilities in Windows Secure Boot. While most of these flaws are considered “Exploitation Less Likely,” security experts warn that past exploits linked to Secure Boot serve as a reminder of the importance of addressing vulnerabilities in this area.
In addition to Microsoft’s patches, Adobe also released nine updates addressing vulnerabilities in various products, including Adobe After Effects, Photoshop, and Illustrator. Notably, Adobe clarified misconceptions about its AI features, stating that document scanning and analysis only occur when users actively engage with the AI assistant.
Overall, the latest round of patches underscores the ongoing efforts to improve software security and mitigate potential threats. Users are advised to promptly update their systems to protect against known vulnerabilities and enhance overall cybersecurity.