Microsoft March 2024 Security Updates

March 2024 Security Updates
This release consists of the following 61 Microsoft CVEs:
Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations?
Windows Defender CVE-2024-20671
Open Management Infrastructure CVE-2024-21330
Open Management Infrastructure CVE-2024-21334
Microsoft Authenticator CVE-2024-21390
.NET CVE-2024-21392
Microsoft Azure Kubernetes Service CVE-2024-21400
Role: Windows Hyper-V CVE-2024-21407
Role: Windows Hyper-V CVE-2024-21408
Skype for Consumer CVE-2024-21411
Software for Open Networking in the Cloud (SONiC) CVE-2024-21418
Microsoft Dynamics CVE-2024-21419
Azure SDK CVE-2024-21421
Microsoft Office SharePoint CVE-2024-21426
Windows Kerberos CVE-2024-21427
Windows USB Hub Driver CVE-2024-21429
Windows USB Serial Driver CVE-2024-21430
Windows Hypervisor-Protected Code Integrity CVE-2024-21431
Windows Update Stack CVE-2024-21432
Windows Print Spooler Components CVE-2024-21433
Microsoft Windows SCSI Class System File CVE-2024-21434
Windows OLE CVE-2024-21435
Windows Installer CVE-2024-21436
Microsoft Graphics Component CVE-2024-21437
Windows AllJoyn API CVE-2024-21438
Windows Telephony Server CVE-2024-21439
Windows ODBC Driver CVE-2024-21440
Microsoft WDAC OLE DB provider for SQL CVE-2024-21441
Windows USB Print Driver CVE-2024-21442
Windows Kernel CVE-2024-21443
Microsoft WDAC OLE DB provider for SQL CVE-2024-21444
Windows USB Print Driver CVE-2024-21445
Windows NTFS CVE-2024-21446
Microsoft Teams for Android CVE-2024-21448
Microsoft WDAC OLE DB provider for SQL CVE-2024-21450
Microsoft WDAC ODBC Driver CVE-2024-21451
Windows ODBC Driver CVE-2024-26159
Windows Cloud Files Mini Filter Driver CVE-2024-26160
Microsoft WDAC OLE DB provider for SQL CVE-2024-26161
Windows ODBC Driver CVE-2024-26162
SQL Server CVE-2024-26164
Visual Studio Code CVE-2024-26165
Microsoft WDAC OLE DB provider for SQL CVE-2024-26166
Microsoft Edge for Android CVE-2024-26167
Windows Error Reporting CVE-2024-26169
Windows Composite Image File System CVE-2024-26170
Windows Kernel CVE-2024-26173
Windows Kernel CVE-2024-26174
Windows Kernel CVE-2024-26176
Windows Kernel CVE-2024-26177
Windows Kernel CVE-2024-26178
Windows Kernel CVE-2024-26181
Windows Kernel CVE-2024-26182
Windows Compressed Folder CVE-2024-26185
Microsoft QUIC CVE-2024-26190
Windows Standards-Based Storage Management Service CVE-2024-26197
Microsoft Exchange Server CVE-2024-26198
Microsoft Office CVE-2024-26199
Microsoft Intune CVE-2024-26201
Azure Data Studio CVE-2024-26203
Outlook for Android CVE-2024-26204

We are republising 4 non-Microsoft CVEs:
CNA Tag CVE FAQs? Workarounds? Mitigations?
Intel Corporation Intel CVE-2023-28746
Chrome Microsoft Edge (Chromium-based) CVE-2024-2173
Chrome Microsoft Edge (Chromium-based) CVE-2024-2174
Chrome Microsoft Edge (Chromium-based) CVE-2024-2176

Security Update Guide Blog Posts
Date Blog Post
February 15, 2024 New Security Advisory Tab Added to the Microsoft Security Update Guide
January 11, 2022 Coming Soon: New Security Update Guide Notification System
February 9, 2021 Continuing to Listen: Good News about the Security Update Guide API
January 13, 2021 Security Update Guide Supports CVEs Assigned by Industry Partners
December 8, 2020 Security Update Guide: Let’s keep the conversation going
November 9, 2020 Vulnerability Descriptions in the New Version of the Security Update Guide

Relevant Resources

• The new Hotpatching feature is now generally available. Please see Hotpatching feature for Windows Server Azure Edition virtual machines (VMs) for more information.
• Windows 10 and Windows 11 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10 and 11, in addition to non-security updates. The updates are available via the Microsoft Update Catalog. For information on lifecycle and support dates for Windows operating systems, please see Windows Lifecycle Facts Sheet.
• Microsoft is improving Windows Release Notes. For more information, please see What's next for Windows release notes.
• A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
• In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
• Customers running Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates. See 4522133 for more information.

Known Issues
You can see these in more detail from the Deployments tab by selecting Known Issues column in the Edit Columns panel.

For more information about Windows Known Issues, please see Windows message center (links to currently-supported versions of Windows are in the left pane).

KB Article Applies To
5035845 Windows 10, version 21H2, Windows 10, version 22H2
5035920 Windows Server 2008 (Monthly Rollup)
5035933 Windows Server 2008 (Security-only update)
5036386 Exchange Server 2016
5036401 Exchange Server 2019 Cumulative Update 14
5036402 Exchange Server 2019 Cumulative Update 13
Released: Mar 12, 2024
March 2024 Security Updates - Release Notes - Security Update Guide - Microsoft

 

CVEs have been published or revised in the Security Update Guide
March 12, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2023-35372

· Title: Microsoft Office Visio Remote Code Execution Vulnerability

· Version: 2.0

· Reason for revision: In the Security Updates table added Microsoft Visio 2016 (32-bit edition) and Microsoft Visio 2016 (64-bit edition) as these versions of Visio are also affected by the vulnerability. Microsoft strongly recommends that customers running any of these versions of Visio install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.

· Originally released: August 8, 2023

· Last updated: March 12, 2024

· Aggregate CVE Severity Rating: Important

CVE-2023-36866

· Title: Microsoft Office Visio Remote Code Execution Vulnerability

· Version: 2.0

· Reason for revision: In the Security Updates table added Microsoft Visio 2016 (32-bit edition) and Microsoft Visio 2016 (64-bit edition) as these versions of Visio are also affected by the vulnerability. Microsoft strongly recommends that customers running any of these versions of Visio install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.

· Originally released: August 8, 2023

· Last updated: March 12, 2024

· Aggregate CVE Severity Rating: Important

 

CVEs have been published or revised in the Security Update Guide
March 14, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-26163

· Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 14, 2024

· Last updated: March 14, 2024

· Aggregate CVE Severity Rating: Low

CVE-2024-26167

· Title: Microsoft Edge for Android Spoofing Vulnerability

· Version: 2.0

· Reason for revision: The security update 122.0.2365.92 for Edge for Android is now available. See the Security Updates table for more information.

· Originally released: March 7, 2024

· Last updated: March 14, 2024

· Aggregate CVE Severity Rating: Low

CVE-2024-26246

· Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 14, 2024

· Last updated: March 14, 2024

· Aggregate CVE Severity Rating: Low

 

CVEs have been published or revised in the Security Update Guide
March 20, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-28916

· Title: Xbox Gaming Services Elevation of Privilege Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 20, 2024

· Last updated: March 20, 2024

Aggregate CVE Severity Rating: Important

 

CVEs have been published or revised in the Security Update Guide
March 22, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-26247

· Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating: Low

CVE-2024-2625

· Title: Chromium: CVE-2024-2625 Object lifecycle issue in V8

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2626

· Title: Chromium: CVE-2024-2626 Out of bounds read in Swiftshader

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2627

· Title: Chromium: CVE-2024-2627 Use after free in Canvas

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2628

· Title: Chromium: CVE-2024-2628 Inappropriate implementation in Downloads

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2629

· Title: Chromium: CVE-2024-2629 Incorrect security UI in iOS

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2630

· Title: Chromium: CVE-2024-2630 Inappropriate implementation in iOS

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2631

· Title: Chromium: CVE-2024-2631 Inappropriate implementation in iOS

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating:

CVE-2024-29057

· Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating: Low

 

CVEs have been published or revised in the Security Update Guide
March 22, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-29059

· Title: .NET Framework Information Disclosure Vulnerability

· Version: 1.0

· Reason for revision: Information published. This CVE was addressed by updates that were released in January 2024, but the CVE was inadvertently omitted from the January 2024 Security Updates. This is an informational change only. Customers who have already installed the January 2024 updates do not need to take any further action.

· Originally released: March 22, 2024

· Last updated: March 22, 2024

· Aggregate CVE Severity Rating: Important

 

CVEs have been published or revised in the Security Update Guide
April 1, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-2883

· Title: Chromium: CVE-2024-2883 Use after free in ANGLE

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 27, 2024

· Last updated: March 27, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2883

· Title: Chromium: CVE-2024-2883 Use after free in ANGLE

· Version: 1.1

· Reason for revision: Removed the sentence regarding active attacks because Google was not aware of active attacks using this vulnerability. This is an informational change only.

· Originally released: March 27, 2024

· Last updated: April 1, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2885

· Title: Chromium: CVE-2024-2885 Use after free in Dawn

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 27, 2024

· Last updated: March 27, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2886

· Title: Chromium: CVE-2024-2886 Use after free in WebCodecs

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 27, 2024

· Last updated: March 27, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2887

· Title: Chromium: CVE-2024-2887 Type Confusion in WebAssembly

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 27, 2024

· Last updated: March 27, 2024

· Aggregate CVE Severity Rating:

 

CVEs have been published or revised in the Security Update Guide
April 4, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-29049

· Title: Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: April 4, 2024

· Last updated: April 4, 2024

· Aggregate CVE Severity Rating: Moderate

CVE-2024-29981

· Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: April 4, 2024

· Last updated: April 4, 2024

· Aggregate CVE Severity Rating: Low

CVE-2024-3156

· Title: Chromium: CVE-2024-3156 Inappropriate implementation in V8

· Version: 1.0

· Reason for revision: Information published.

· Originally released: April 4, 2024

· Last updated: April 4, 2024

· Aggregate CVE Severity Rating:

CVE-2024-3158

· Title: Chromium: CVE-2024-3158 Use after free in Bookmarks

· Version: 1.0

· Reason for revision: Information published.

· Originally released: April 4, 2024

· Last updated: April 4, 2024

· Aggregate CVE Severity Rating:

CVE-2024-3159

· Title: Chromium: CVE-2024-3159 Out of bounds memory access in V8

· Version: 1.0

· Reason for revision: Information published.

· Originally released: April 4, 2024

· Last updated: April 4, 2024

· Aggregate CVE Severity Rating: