Issuing CNA: Red Hat, Inc.

Windows 11, version 24H2 is not generally available yet. Why are there updates for this version of Windows listed in the Security Updates table?

The new Copilot+ devices that are now publicly available come with Windows 11, version 24H2 installed. Customers with these devices need to know about any vulnerabilities that affect their machine and to install the updates if they are not receiving automatic updates. Note that the general availability date for Windows 11, version 24H2 is scheduled for later this year.

Why is this Redhat CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in the Linux GRUB2 boot loader, a boot loader designed to support Secure Boot on systems that are running Linux. It is being documented in the Security Update Guide to announce that the latest builds of Windows are no longer vulnerable to this security feature bypass using the Linux GRUB2 boot loader. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

Will this update affect my ability to boot Linux after applying this update?

To address this security issue, Windows will apply a Secure Boot Advanced Targeting (SBAT) update to block vulnerable Linux boot loaders that could have an impact on Windows security. The SBAT value is not applied to dual-boot systems that boot both Windows and Linux and should not affect these systems. You might find that older Linux distribution ISOs will not boot. If this occurs, work with your Linux vendor to get an update.

Information published.

Issuing CNA: Microsoft

How could an attacker exploit this vulnerability?

A cross-site scripting vulnerability existed in virtual public IP address that impacted related endpoints. For more information on the impacted virtual public IP address, see here: What is IP address 168.63.129.16? | Microsoft Learn. An unauthenticated attacker could exploit this vulnerability by getting the victim to load malicious code into their web browser on the virtual machine, allowing the attacker to leverage an implicit identity of the virtual machine. The victim's web browser then would determine which host endpoints are accessible.

According to CVSS metrics the user interaction is required (UI:R). What interaction would a user have to do?

A user (victim) logged on to a virtual machine would need to be tricked for the virtual machine to explicitly download and execute a malicious code in their web browser.

According to the CVSS metric, the successful exploitation of this vulnerability could lead to a scope change (S:C). What does this mean for this vulnerability?

By sending a specially crafted request to the vulnerable virtual public IP address, the attacker is able to load malicious code into a victim's browser without having any direct access or connection.

Information published.

Issuing CNA: Microsoft

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain kernel memory content.

Windows 11, version 24H2 is not generally available yet. Why are there updates for this version of Windows listed in the Security Updates table?

The new Copilot+ devices that are now publicly available come with Windows 11, version 24H2 installed. Customers with these devices need to know about any vulnerabilities that affect their machine and to install the updates if they are not receiving automatic updates. Note that the general availability date for Windows 11, version 24H2 is scheduled for later this year.

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?

To successfully exploit this vulnerability, an attacker or the targeted user would need to achieve a high level of control over a machine, as the attack requires access to processes typically restricted from average users.

Essentially, the exploitation necessitates elevated privileges on the compromised machine due to the requirement of manipulating processes beyond the reach of standard user permissions.

How could an attacker exploit this vulnerability?

An attacker could exploit the vulnerability by taking advantage of the unchecked return value in the wnv.sys component of Windows Server 2016. By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape.

According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content.

The following mitigating factors might be helpful in your situation:

• Ensuring that the virtual machine (VM) is running on the VMware hypervisor exclusively, as it needs to be capable of nested virtualization.
• Disabling Hyper-V and its dependent features (VBS and its components) on the host where the VM will run is also crucial.
• Renaming the hypervisor binary (C:\Windows\System32\hvix64.exe) to prevent it from loading at boot time can also help mitigate the issue.

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

This vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content.

According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?

To successfully exploit this vulnerability, an attacker or the targeted user would need to achieve a high level of control over a machine, as the attack requires access to processes typically restricted from average users.

Essentially, the exploitation necessitates elevated privileges on the compromised machine due to the requirement of manipulating processes beyond the reach of standard user permissions.

How could an attacker exploit this vulnerability?

An attacker could exploit the vulnerability by taking advantage of the unchecked return value in the wnv.sys component of Windows Server 2016. By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape.

The following mitigating factors might be helpful in your situation:

• Ensuring that the virtual machine (VM) is running on the VMware hypervisor exclusively, as it needs to be capable of nested virtualization.
• Disabling Hyper-V and its dependent features (VBS and its components) on the host where the VM will run is also crucial.
• Renaming the hypervisor binary (C:\Windows\System32\hvix64.exe) to prevent it from loading at boot time can also help mitigate the issue.

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, the attack vector is physical (AV:P). What does that mean for this vulnerability?

To exploit this vulnerability, an unauthenticated attacker needs to physically connect a malicious USB device to the victim's machine

Information published. This CVE was addressed by updates that were released in July 2024, but the CVE was inadvertently omitted from the July 2024 Security Updates. This is an informational change only. Customers who have already installed the July 2024 updates do not need to take any further action.

Issuing CNA: Microsoft

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited the vulnerability could read targeted email messages.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of this vulnerability requires that a user trigger the payload in the application.

Information published.

Issuing CNA: Microsoft

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?

This attack requires an authenticated client to click a link in order for an unauthenticated attacker to initiate remote code execution.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would have to click on a specially crafted URL to be compromised by the attacker.

Windows 11, version 24H2 is not generally available yet. Why are there updates for this version of Windows listed in the Security Updates table?

The new Copilot+ devices that are now publicly available come with Windows 11, version 24H2 installed. Customers with these devices need to know about any vulnerabilities that affect their machine and to install the updates if they are not receiving automatic updates. Note that the general availability date for Windows 11, version 24H2 is scheduled for later this year.

Information published.

Issuing CNA: Microsoft

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker could use this vulnerability to elevate privileges from a Low Integrity Level in a contained ("sandboxed") execution environment to a Medium Integrity Level or a High Integrity Level.

Please refer to AppContainer isolation and Mandatory Integrity Control for more information.

Information published. This CVE was addressed by updates that were released in July 2024, but the CVE was inadvertently omitted from the July 2024 Security Updates. This is an informational change only. Customers who have already installed the July 2024 updates do not need to take any further action.

Issuing CNA: Microsoft

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published. This CVE was addressed by updates that were released in July 2024, but the CVE was inadvertently omitted from the July 2024 Security Updates. This is an informational change only. Customers who have already installed the July 2024 updates do not need to take any further action.

Issuing CNA: Microsoft

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Windows 11, version 24H2 is not generally available yet. Why are there updates for this version of Windows listed in the Security Updates table?

The new Copilot+ devices that are now publicly available come with Windows 11, version 24H2 installed. Customers with these devices need to know about any vulnerabilities that affect their machine and to install the updates if they are not receiving automatic updates. Note that the general availability date for Windows 11, version 24H2 is scheduled for later this year.

Information published.

Issuing CNA: Microsoft

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Windows 11, version 24H2 is not generally available yet. Why are there updates for this version of Windows listed in the Security Updates table?

The new Copilot+ devices that are now publicly available come with Windows 11, version 24H2 installed. Customers with these devices need to know about any vulnerabilities that affect their machine and to install the updates if they are not receiving automatic updates. Note that the general availability date for Windows 11, version 24H2 is scheduled for later this year.

Information published.

Issuing CNA: Microsoft

According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L) and integrity (I:L) but does not impact availability (A:N)? What does that mean for this vulnerability?

The attacker is only able to modify the sender's name of Teams message (I:L) and through social engineering, attempt to trick the recipient into disclosing information (C:L). The availability of the product cannot be affected (A:N).

How do I get the update for Microsoft Teams for iOS?

1. Tap the Settings icon
2. Tap the** iTunes & App Store**
3. Turn on AUTOMATIC DOWNLOADS for Apps

Alternatively

1. Tap the** App Store** icon
2. Scroll down to find Microsoft Teams
3. Tap the Update button

How do I get the update for Teams for Android?

1. Tap the Play Store icon on your home screen.
2. Tap the circular account icon at the top right of the screen.
3. Tap Manage apps & devices.
4. Tap Updates available.
5. Tap the Update button next to the Microsoft Teams app.

Is there a direct link on the web?

Yes: https://play.google.com/store/apps/details?id=com.microsoft.teams

Information published.