Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild.
Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity.
The update is aside from 21 vulnerabilities that the company addressed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.
“To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown,” Microsoft said.
In all, the release is notable for addressing as many as 68 remote code execution, 31 privilege escalation, 26 security feature bypass, and six denial-of-service (DoS) bugs.
Interestingly, 24 of the 26 security bypass flaws are related to Secure Boot.
It also follows the company’s decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard.
Microsoft, which was made aware of the issues in November 2023, has yet to release a fix, although they have been added to their patch backlog program.
For the month of April 2024, Microsoft has made security updates available to address 149 vulnerabilities in total, two of which are being actively exploited in the wild.
Out of the 149 defects, one is classified as having a low severity, three are classified as critical, 142 as important, and three as moderate. The update is separate from the 21 vulnerabilities that the company fixed in its Edge browser, which runs on Chromium, after the March 2024 Patch Tuesday fixes were made available.
Below are the two weaknesses that have been actively exploited.
CVE-2024-26234 – Proxy Driver Spoofing Vulnerability (CVSS score: 6 points).
The SmartScreen Prompt Security Feature Bypass Vulnerability is identified as CVE-2024-29988 (CVSS score: 8 points 8).
Although Microsoft’s own advisory contains no information regarding CVE-2024-26234, cybersecurity company Sophos reported that it found a malicious executable (“Catalog. “Catalog Authentication Client Service,” or “exe,” that has been verified by a legitimate Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate.
The binary’s authenticode analysis identified Hainan YouHu Technology Co. as the original publisher that made the request. Ltd, the company that also publishes LaiXi Android Screen Mirroring, another tool.
It describes the latter as “a . of marketing software. [that] has the ability to link hundreds of smartphones, control them in groups, and automate processes like batch liking, batch following, and batch commenting. ****.
A part of the alleged authentication service known as 3proxy is included; it serves as a backdoor by monitoring and intercepting network traffic on compromised systems.
“There is no proof that the malicious file was purposefully incorporated into the LaiXi application by its developers, or that a threat actor used a supply chain attack to introduce it during the application’s compilation or building process,” Sophos researcher Andreas Klopsch stated.
A number of additional backdoor variations that date back to January 5, 2023, were also found in the wild, according to the cybersecurity company, suggesting that the campaign has been active at least since then. Since then, Microsoft has updated its list of files that are revoked.
According to reports, CVE-2024-29988 is another security flaw that is being actively exploited. Similar to CVE-2024-21412 and CVE-2023-36025, it enables attackers to circumvent Microsoft Defender Smartscreen protections by opening a specially crafted file.
“An attacker would need to persuade a user to launch malicious files using a launcher application that requests that no UI be shown in order to exploit this security feature bypass vulnerability,” according to Microsoft.
“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability. ****.
The Zero Day Initiative has discovered evidence of the vulnerability being used in the wild, despite Microsoft’s assessment classifying it as “Exploitation More Likely.”.
CVE-2024-29990 (CVSS score: 9.0) is another critical vulnerability that affects Microsoft Azure Kubernetes Service Confidential Container. It is an elevation of privilege flaw that could be used by unauthorized attackers to obtain credentials.
“Confidential guests and containers beyond the network stack it might be bound to can be taken over by an attacker through access to the untrusted AKS Kubernetes node and AKS Confidential Container,” according to Redmond.
Release 68 addresses remote code execution, 31 privilege escalation, 26 security feature bypass, and 6 denial-of-service (DoS) bugs, making it noteworthy overall. Remarkably, Secure Boot is involved in 24 out of the 26 security bypass vulnerabilities.
“Even though the Secure Boot vulnerabilities that were addressed this month were not used in the wild, they still serve as a warning that these flaws still exist, and we may see more malicious activity associated with Secure Boot in the future,” said Tenable’s senior staff research engineer Satnam Narang in a statement.
The announcement coincides with Microsoft’s recent report from the U.S. government criticizing the company’s security procedures. s. In an effort to stop a cyber espionage campaign last year, a Chinese threat actor identified as Storm-0558, the Cyber Safety Review Board (CSRB) called out the company for not doing enough.
It also adheres to the business’s choice to disclose security flaw root cause information by utilizing the Common Weakness Enumeration (CWE) industry standard. It’s important to keep in mind, though, that the modifications only apply to advisories issued after March 2024.
Lead software engineer at Rapid7, Adam Barnett, stated in a statement shared with The Hacker News that “the addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability.”.
The guidelines for assigning CVEs to CWE Root Causes have been updated by the CWE program. Software Development Life Cycle (SDLC) workflows and testing can be improved by analyzing CWE trends, and defenders can gain insight into where to focus their deployment-hardening and defense-in-depth efforts to maximize return on investment. “.
In a related development, the cybersecurity company Varonis described two strategies that attackers could use to get around audit logs and prevent download events from happening when they steal files from SharePoint.
Utilizing SharePoint’s “Open in App” function, the first method accesses and downloads files, while the second misclassifies certain events as file syncs rather than downloads by downloading files or even entire websites using the User-Agent for Microsoft SkyDriveSync.
Although the problems have been added to Microsoft’s patch backlog program, the company has not yet released a fix despite being made aware of them in November 2023. While waiting for more information, it is advised that organizations keep a careful eye on their audit logs for any unusual access events, especially those involving a lot of files being downloaded quickly.
“By disguising downloads as less suspicious access and sync events, these techniques can evade the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs,” said Eric Saraga.
Software Updates from Different Providers.
Over the past few weeks, security updates have been released by other vendors in addition to Microsoft to address a number of vulnerabilities, including.
A Adobe.
GMA.
Android.
C++ Port of Apache XML Security.
Aruba Systems Inc.
Atos.
Bosch.
Cisco.
D-Connection.
Dell.
Drupal.
F5.
Forté.
Intra.
Use GitLab.
Chrome by Google.
Google Cloud Platform.
Pixel from Google.
Hikvision.
HITACHI Power Corp.
HQ.
HP Enterprise.
Web/2.
Apple.
Ivanti.
Jenkins.
HP.
webOS from LG.
Linux distributions: Ubuntu, Red Hat, SUSE, Oracle Linux, Debian, and SUSE.
MediaTek.
Mozilla Thunderbird, Firefox, and Firefox ESR.
NETDEAR.
NVIDIA.
QuickLogic.
Automation by Rockwell.
rust.
Lenovo.
SAP.
Electricity Schneider.
Siemens.
Think Splunk.
Synchronization.
Virtual Machine.
WordPress as well.
Zoom.
