Microsoft Resolves 60 New CVEs

Microsoft has released its lineup of updates for March 12, 2024, including updates for the Windows OS, Exchange Server, SQL Server, Office 365, Sharepoint and Defender. The release resolves 60 new CVEs and includes revisions for two previously released CVEs. There is also an advisory announcing the deprecation of Oracle Outside In for Exchange Server.  

Between the Patch Tuesdays

This month is pretty quiet compared to the weeks following February Patch Tuesday. Post-patch Tuesday, two vulnerabilities that were resolved in the February update were found to be targeted by exploits in the wild. The two CVEs were Windows Kernel Elevation of Privilege vulnerability (CVE-2024-21338) and Exchange Server Elevation of Privilege vulnerability (CVE-2024-21410).  

Apple also had a rapid-response release including two CVEs that were actively being exploited. CVE-2024-23225 in the iOS Kernel and CVE-2024-23296 in RTKit both of which could allow arbitrary code execution. The Apple updates for iOS and iPad OS were released on March 5, 2024.  

March Patch Tuesday

From a risk perspective, there are currently no confirmed exploits or public disclosures this month. There are two Critical CVEs in Windows Hyper-V, which makes the OS update this month your highest priority. The two recently released updates (CVE-2023-35372 and CVE-2023-36866) apply to Microsoft Visio. The revision expands the affected products to include Microsoft Visio 2016 (32- and 64-bit editions).  

Microsoft released an advisory (ADV24199947) announcing the deprecation of support for Oracle’s libraries in Exchange Server. The deprecation is a three-phase process starting with the March 2024 update. The first phase disables Oracle’s Outside In Technology (OIT) for all file types. The second phase will introduce a replacement scanning solution. The third phase will completely remove OIT code from Exchange Server. The second- and third-phase timeframes were not announced in the advisory as of the initial publishing date of March 12, 2024.  

Looking ahead to April, Microsoft will be implementing the third deployment phase for the Secure Boot changes associated with CVE-2023-24932. The CVE addressed a security feature bypass in Secure Boot utilized by the BlackLotus UEFI bootkit. The changes were being rolled out in a four-phase process, and the third stage was to be implemented on the April 9, 2024, Patch Tuesday or later. Expect that next month the new mitigations to block additional vulnerable boot managers will be implemented. This could mean that you have some work to do to prepare media for the update. For more details, see KB5025885