IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Cloud Security
#
Advanced Persistent Threat Protection
#
HealthTech

Microsoft addresses 88 CVEs in this month's Patch Tuesday

Wed, 14th Aug 2024
Author image
By Shannon Williams, Journalist

In this month's Patch Tuesday, Microsoft addressed 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild. Elevation of Privilege (EoP) vulnerabilities accounted for 41% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) at 33%.

SAP and Tenable have recently highlighted significant security vulnerabilities in their platforms and services, emphasizing the need for timely patch management and security awareness within organisations.

SAP disclosed twenty-five new or updated security patches, including two HotNews Notes and four High Priority Notes. Meanwhile, Tenable uncovered critical vulnerabilities within the Azure Health Bot Service and released commentary on Microsoft's Patch Tuesday.

SAP reported that the Onapsis Research Labs team supported the patching of seven vulnerabilities, including six SAP Security Notes and a High Priority Note. Notably, SAP Security Note #3423268, with a CVSS score of 7.8, addresses vulnerabilities in the SAP S/4 HANA application due to its usage of the outdated SheetJS library. The patch provides an updated version, aiming to mitigate risks to confidentiality, integrity, and availability of the application.

SAP Security Note #3460407, tagged with a CVSS score of 7.5, resolves an Information Disclosure vulnerability in SAP NetWeaver AS Java. Following its initial release in June 2024 and subsequent updates, corrections are now provided for additional support package levels. Another significant note, #3479478, addresses a Denial of Service vulnerability in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 9.8. This vulnerability can allow an attacker to compromise the system using a REST endpoint for unauthorized logins.

Another high-risk vulnerability identified, SAP Security Note #3477196, tagged with a CVSS score of 9.1, impacts applications built with SAP Build Apps using the Node.js library. SAP recommends updating applications to a later version to mitigate high risks to confidentiality and integrity.

Onapsis Research Labs also supported SAP in addressing a High Priority vulnerability in the SAP BEx Web Java Runtime Export Web Service. The note #3485284, with a CVSS score of 8.2, provides updates to the XML parser to safeguard against potential exploitation.

In parallel, Tenable disclosed critical vulnerabilities within the Azure Health Bot Service. These vulnerabilities allowed unauthorized access to cross-tenant resources and potential lateral movement within the platform. The Azure Health Bot Service is crucial for healthcare professionals as it facilitates patient-engaging chatbots for administrative workflows. Tenable researchers discovered vulnerabilities related to the "Data Connections" feature, where certain mitigation measures could be bypassed through redirect responses.

Microsoft has since applied mitigations to all affected services and regions, reporting that no customer action is required. Tenable emphasizes the importance of traditional web application and cloud security mechanisms in combating these vulnerabilities.

During the recent Patch Tuesday, Microsoft addressed 88 Common Vulnerabilities and Exposures (CVEs), including seven critical and 10 zero-day vulnerabilities. Elevation of Privilege (EoP) vulnerabilities comprised 41% of the patches, while Remote Code Execution (RCE) followed at 33%. Scott Caveza, Staff Research Engineer at Tenable, provided insight into specific vulnerabilities such as CVE-2024-38202 and CVE-2024-21302, both EoP flaws affecting Windows Update Stack and Windows Secure Kernel respectively.

Caveza highlighted that CVE-2024-38200, a spoofing vulnerability in Microsoft Office, could be leveraged via phishing emails to expose NTLM hashes, which are susceptible to relay or pass-the-hash attacks. This vulnerability has been exploited previously by Russian-based threat actor APT28.

Further, Tenable's researchers reported two CVEs to Microsoft, including CVE-2024-38206, an information disclosure vulnerability, and CVE-2024-38109, an EoP vulnerability in Azure Health Bot. Both issues have been patched by Microsoft, with no additional user action required.

Security experts underscore the importance of immediate remediation for vulnerabilities, especially those being actively exploited, to mitigate risks and protect organisational assets. With the increasing sophistication of cyber threats, timely updates and heightened awareness remain critical defensive measures.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Trend Vision One for MSPs sees rapid adoption & demand
Dynatrace joins Microsoft security group to enhance cloud safety
Microsoft integrates Endor Labs' solution into Defender
Deep observability - what is it, and why do we need it?
Check Point unveils AI-powered Quantum Firewall Software
Top stories
Swiss AI start-up Calvin Risk secures USD $4m seed funding
LogicMonitor secures USD $800m to advance AI initiatives
Neo4j achieves USD $200 million annual recurring revenue
OVHcloud's emission targets approved under Paris Agreement
Rise of Apple in workplaces challenges IT departments