Microsoft informed customers on Tuesday that vulnerabilities affecting cloud, AI and other services have been patched, including a flaw that was exploited in attacks.
The tech giant has patched vulnerabilities in Azure, Copilot Studio, and its Partner Network website — one security hole in each — but customers do not need to take any action. CVE identifiers and advisories have been published for transparency only.
Microsoft published separate advisories for each vulnerability. They have all been described as privilege escalation issues that have a maximum severity rating of ‘critical’, but based on their CVSS score two of them have a ‘high severity’ rating and only one is actually ‘critical’.
In its Partner Network website, specifically the ‘partner.microsoft.com’ domain, Microsoft addressed CVE-2024-49035, a high-severity improper access control vulnerability that allowed an unauthenticated attacker to elevate privileges over a network.
The vulnerability has been marked as ‘exploited’ and Microsoft confirmed for SecurityWeek that exploitation was indeed detected, but would not share additional information.
“This CVE addresses a vulnerability in the Microsoft Power Apps online version only. As such, customers do not need to take any action because releases are rolled out automatically over several days,” Microsoft noted in its advisory.
Two Microsoft employees and one anonymous researcher have been credited for finding the vulnerability.
There do not appear to be any public reports describing exploitation of the flaw and some members of the industry believed the issue may have been flagged as exploited by mistake, especially since the advisory initially had an exploitability assessment of ‘Exploitation Detected’, but the value of the ‘Exploited’ field was ‘No’. Microsoft corrected the ‘Exploited’ value to ‘Yes’ in the advisory after being contacted by SecurityWeek.
Advertisement. Scroll to continue reading.
The partner.microsoft.com domain is listed as out of scope in Microsoft’s bug bounty programs.
The critical-severity issue addressed this week is CVE-2024-49038, a cross-site scripting (XSS) vulnerability in Copilot Studio, a product that uses generative AI to enable customers to customize or create copilots.
“Improper neutralization of input during web page generation (Cross-site Scripting) in Copilot Studio by an unauthorized attacker leads to elevation of privilege over a network,” Microsoft said in its advisory.
The Azure vulnerability is CVE-2024-49052. It is a missing authentication issue affecting a critical function in Azure PolicyWatch, allowing an attacker to elevate privileges over a network.
Microsoft also announced patching an XSS vulnerability in Dynamics 365 Sales, a management solution for salespeople. The security hole allows an attacker to execute a malicious script in the victim’s browser by getting them to click on a specially crafted link.
The iOS and Android apps are impacted, but the vulnerability is in the web server. Users may need to update their applications as Microsoft has not specifically stated in its advisory that user interaction is not required.
Microsoft announced earlier this year that it has decided to assign CVE identifiers even to cloud service vulnerabilities that do not require any action from users, for transparency. However, users can filter out these types of flaws in case they don’t want to waste any time or energy on them.
Google Cloud also announced recently that it has decided to assign CVE identifiers to critical vulnerabilities found in its products, even if they do not require the user to deploy patches or take other action.
Related: Microsoft Patches Vulnerabilities in Power Platform, Imagine Cup Site
Related: After CrowdStrike Outage, Microsoft Debuts ‘Quick Machine Recovery’ Tool
Related: Low-Code, High Risk: Millions of Records Exposed via Misconfigured Microsoft Power Pages