This month’s Patch Tuesday has been released with security updates for 150 flaws and sixty-seven remote code execution bugs. This update addressed three critical vulnerabilities, but there's a concerning number of over sixty-seven remote code execution (RCE) bugs. Most of these RCE flaws are discovered within Microsoft SQL drivers, suggesting a shared issue.
Additionally, this month's updates include fixes for twenty-six Secure Boot bypasses, with two of them originating from Lenovo.
Below are the number of bugs in each vulnerability category:
- 31 Elevation of Privilege Vulnerabilities
- 29 Security Feature Bypass Vulnerabilities
- 67 Remote Code Execution Vulnerabilities
- 13 Information Disclosure Vulnerabilities
- 7 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
The total number of 150 flaws doesn't cover 5 Microsoft Edge flaws resolved on April 4th and 2 Mariner flaws. Mariner, an open-source Linux distribution by Microsoft, is designed for Microsoft Azure services.
Two zero-day vulnerabilities addressed
During this month's Patch Tuesday, two zero-day vulnerabilities were resolved, which were actively exploited in malware attacks.
Initially, Microsoft didn't classify these zero days as actively exploited. Since then other IT security companies have provided insights into how they were actively exploited in attacks.
Below is a brief overview of the zero days.
CVE-2024-26234 - Proxy Driver Spoofing Vulnerability
This CVE is linked to a malicious driver that carries a legitimate Microsoft Hardware Publisher Certificate.
This driver was employed to install a previously exposed backdoor.
Previous drivers reported to Microsoft didn't receive a CVE; instead, an advisory was issued.
It's uncertain why a CVE was assigned to this driver today, unless it's because it was signed with a valid Microsoft Hardware Publisher Certificate.
CVE-2024-29988 - Security Flaw in SmartScreen Prompts
CVE-2024-29988 is a bypass that circumvents the security patch for the CVE-2024-21412 flaw (which is also a patch bypass for CVE-2023-36025). This flaw enables attachments to evade Microsoft Defender SmartScreen prompts when opened.
The financially motivated Water Hydra hacking group utilised this vulnerability in spear-phishing attacks targeting forex trading forums and stock trading Telegram channels. These attacks deployed the DarkMe remote access trojan (RAT).
Additionally, researchers uncovered two zero-day vulnerabilities in Microsoft SharePoint, making it more challenging to detect when files are downloaded from servers.
Approach 1: "Open in App" Approach
The initial method involves leveraging the code that activates the "open in app" functionality within SharePoint. This allows for accessing and downloading files while leaving only an access event in the file's audit log. It can be carried out manually or automated using a PowerShell script, facilitating the swift extraction of numerous files.
Approach 2: SkyDriveSync User-Agent
The second method utilises the User-Agent associated with Microsoft SkyDriveSync. By employing this User-Agent, files or entire sites can be downloaded, with the events inaccurately labelled as file syncs rather than downloads.
Microsoft hasn't allocated CVE identifiers to these two vulnerabilities. They've been included in the list of issues awaiting patching, but there's no specified timeframe for when they'll be addressed.
April 2024 Patch Tuesday Security Updates
For a detailed list including descriptions of each vulnerability and the systems they impact, you can refer to the complete report available here.
