Critical DNS Client Vulnerability Patched
Microsoft released its monthly security update, addressing 138 vulnerabilities across its product line. Among the most severe issues is a critical remote code execution flaw in the Windows DNS Client. This heap based buffer overflow vulnerability, rated 9.8 out of 10, could allow an unauthenticated attacker to execute arbitrary code by sending a specially crafted DNS response to a target system, causing memory corruption. Microsoft warned that in certain configurations, this attack requires no authentication, making it particularly dangerous for unpatched systems.
Privilege Escalation and Azure Fixes
The update covers a broad range of bug types, with 61 privilege escalation vulnerabilities representing the largest category, followed by 32 remote code execution flaws. Notably, the patch batch includes a fix for an AMD processor vulnerability affecting Zen 2 based products. This issue involves improper isolation of shared resources in the CPU operation cache, potentially enabling an attacker to escalate privileges by corrupting instructions at a different privilege level. Additionally, Microsoft addressed a critical information disclosure flaw in Azure DevOps, rated at a maximum severity of 10.0, and an access control issue in Azure Managed Instance for Apache Cassandra. The company stated that customer action is not required for these Azure related patches.
Source: The Hacker News
