Microsoft has been busy behind the scenes patching up some rather alarming security vulnerabilities across their product lineup. If you are a Microsoft user, here is what you need to know about these fixes and how they impact you. Microsoft has apparently classified the security updates as so urgent that the company has now applied and released them outside of the regular schedule.

Critical Copilot Studio Gets Fixed

Ever wanted to feel like a hacker? Well, a flaw in Microsoft Copilot Studio gave attackers the ability to elevate their privileges with just a little online trickery (CVE-2024-49038, CVSS 9.3 critical). Turns out, a lack of proper input filtering was the culprit, making cross-site scripting possible. Microsoft fixed the gap.

Partner Portal Shenanigans Fixed

It seems someone exploited a vulnerability in partner.microsoft.com, allowing unauthorized attackers to increase their access rights without breaking a sweat (CVE-2024-49035, CVSS 8.7 critical). The issue popped up in Microsoft Power Apps. Microsoft patched it server-side, so you are safe. Again, no user action required!

Azure PolicyWatch: Oops, No Authentication?

In what might feel like a "how-did-this-happen" moment, Azure PolicyWatch had a critical function completely lacking authentication (CVE-2024-49052, CVSS 8.2 critical). Attackers could exploit this to boost their privileges. Microsoft swooped in and applied the necessary server-side fix.

Dynamics 365 Sales: Watch Out for Sneaky Links

If you are using Dynamics 365 Sales, beware of a sneaky spoofing vulnerability (CVE-2024-49053, CVSS 7.6 high). Attackers could trick victims into clicking manipulated links, leading them to malicious websites. Good news: updates for iOS and Android apps are already live. Just make sure you are running Dynamics 365 Sales for iOS and Dynamics 365 Sales for Android versions 3.24104.15 or later. Head to your app store to double-check!

What’s Next?

Microsoft’s security team has been working overtime. Most fixes are already in place, and for the few requiring action, a quick update will do the trick.

The regular patch day took place on the night of November 13, the next one on the night of December 11.