Microsoft Fixes Four Security Flaws

Microsoft has found and fixed four security flaws that span across four of its various products. One of these flaws affects Copilot Studio, Microsoft’s program for customizing its AI. In addition, one of these flaws has an active exploit in the wild, which makes this latest round of patches quite important.

The four flaws affect artificial intelligence (Copilot Studio), cloud (Azure PolicyWatch), enterprise resource planning (Dynamics 365 Sales), and Partner Center. One of these flaws has an active exploit in the wild. That means bad actors have been able to take advantage of the security flaw before Microsoft had a chance to patch it, which makes this flaw particularly important to fix.

The exploited flaw is tracked as CVE-2024-49035, and is a privilege escalation flaw with the site partner.microsoft.com. Microsoft says that an “improper access control vulnerability” in the site lets an attacker elevate privileges through the network. In essence, the attacker can gain access to parts of the system they normally wouldn’t be able to, even as a hacker, because they now have the proper credentials.

While this flaw is the most essential Microsoft patched, the other three flaws are also important to fix. They are as follows:

• CVE-2024-49038: This is a cross-site scripting (XSS) vulnerability in Copilot Studio which allows an attacker to escalate privileges over a network.
• CVE-2024-49052: This is a missing authentication for a critical function vulnerability in Microsoft Azure PolicyWatch, which allows a bad actor to escalate privileges over a network
• CVE-2024-49053: This is a spoofing vulnerability in Microsoft Dynamics 365 Sales, which allows an attacker to persuade the user to click on a specific URL and redirect the user to a malicious website.

The first two of these flaws are similar in nature to the exploited flaw. The end result of all would mean the attacker elevates privileges on the network, and thus can access the system in malicious ways. However, these two are not actively exploited as of this writing.

Microsoft has reportedly already fixed most of these issues, so you won’t have to do anything yourself to install the patch. However, the company still recommends you update the Dynamic 365 Sales app on Android or iOS: This is to patch CVE-2024-49053.