What is the nature of Microsoft's out-of-band security update?

Microsoft has released an out-of-band patch addressing four significant security vulnerabilities across their products and services. This update was released between the November 13 and December 11 patch cycles due to the critical nature of the vulnerabilities.

What vulnerabilities were patched and what are their severity levels?

The vulnerabilities are: CVE-2024-49038 (CVSS 9.3) affecting Copilot Studio - an XSS vulnerability leading to privilege elevation, CVE-2024-49035 (CVSS 8.7) affecting Partner.Microsoft.com - an improper privilege management issue with active exploitation detected, CVE-2024-49052 (CVSS 8.2) affecting Azure PolicyWatch - a missing authentication vulnerability, and CVE-2024-49053 (CVSS 7.6) affecting Dynamics 365 Sales - an XSS vulnerability leading to spoofing.

Which vulnerabilities require user action and which are automatically patched?

Three vulnerabilities (affecting Copilot Studio, Partner.Microsoft.com, and Azure PolicyWatch) have been automatically patched by Microsoft on their cloud services. Only the Dynamics 365 Sales mobile applications vulnerability requires users to manually update their applications through their device's app store to version 3.24104.15 or later.

Which vulnerability is being actively exploited?

CVE-2024-49035, affecting Partner.Microsoft.com, has been confirmed to be actively exploited in the wild. While it has a CVSS score of 8.7 (high severity), Microsoft has classified it as critical in their internal assessment.

What action is required for Dynamics 365 Sales users?

Users of Dynamics 365 Sales mobile applications must update to version 3.24104.15 or later through their respective app stores (iOS or Android) to patch the CVE-2024-49053 vulnerability, which could allow authenticated attackers to create malicious links redirecting victims to malicious sites.

Advisory

Microsoft patches vulnerabilities outside of normal cycle

published: Nov. 27, 2024

Take action: Your first priority should be Microsoft Dynamics 365 Sales apps for iOS and Android. The rest of the flaws are automatically patched by MS. You should possibly read up on the flaw in Partner.Microsoft.com, and check for unexpected user accounts or changed permissions.

Learn More

Microsoft has released an out-of-band patch addressing four significant security vulnerabilities across their products and services. These updates were released outside the regular patch schedule (between the November 13 and December 11 patch cycles) due to their critical nature.

Three of the four vulnerabilities (affecting Copilot Studio, Partner.Microsoft.com, and Azure PolicyWatch) have been automatically patched by Microsoft on their cloud services, requiring no action from users. However, users of Microsoft Dynamics 365 Sales mobile applications must manually update their applications through their device's app store.

Vulnerability summary:

CVE-2024-49038 (CVSS score 9.3) - Microsoft Copilot Studio vulnerability - Cross-site Scripting (XSS) leading to Elevation of Privilege. Allows unauthorized network-based attackers to elevate privileges. Automatically patched by Microsoft, no user action required
CVE-2024-49035 (CVSS score 8.7) - Partner.Microsoft.com vulnerability - Improper Privilege Management. Allows unauthenticated attackers to elevate privileges - Active exploitation detected. Affects Microsoft Power Apps online version. Automatically patched by Microsoft, no user action required
CVE-2024-49052 (CVSS score 8.2) - Microsoft Azure PolicyWatch vulnerability - Missing Authentication for Critical Function. Enables unauthorized attackers to elevate privileges via network access. Automatically patched by Microsoft, no user action required
CVE-2024-49053 (CVSS score 7.6) - Microsoft Dynamics 365 Sales vulnerability - Cross-site Scripting (XSS) leading to Spoofing. Authenticated attackers can create malicious links redirecting victims to malicious sites. Affected components: Web server vulnerability with client-side script execution, but requires user interaction - clicking on specially crafted URLs
- Users must update to version 3.24104.15 or later through their respective app stores
  - Dynamics 365 Sales for iOS
  - Dynamics 365 Sales for Android

CVE-2024-49035, which has been confirmed to be actively exploited in the wild. While Microsoft rated this vulnerability with a CVSS score of 8.7 (high severity), they have classified it as critical in their internal assessment.

Microsoft patches vulnerabilities outside of normal cycle

Read More
Vulnerability in ChatGPT allowed for malicious SVG that …
Trellix researchers warn of malicious campaign that uses …
Samsung Releases Patches to critical issues in sync …
AI Agent Vulnerabilities Enable Hijacking in Perplexity Comet …
Google fixes critical vulnerabilities in Chromecast devices