Microsoft has once again rolled out its monthly security updates, this time for the month of April 2024. This release addresses a staggering 149 flaws, setting a new record for the number of vulnerabilities remediated in a single update. Among these vulnerabilities, two have been identified as actively exploited in the wild, making this update particularly critical for users and organizations alike.

Of the 149 flaws, three are classified as Critical, 142 as Important, three as Moderate, and one as Low in severity. This comprehensive update is in addition to the 21 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser following the March 2024 Patch Tuesday fixes.

The two vulnerabilities currently under active exploitation are CVE-2024-26234, a Proxy Driver Spoofing Vulnerability with a CVSS score of 6.7, and CVE-2024-29988, a SmartScreen Prompt Security Feature Bypass Vulnerability with a CVSS score of 8.8:

CVE-2024-26234 (CVSS score: 6.7) – Proxy Driver Spoofing Vulnerability

CVE-2024-29988 (CVSS score: 8.8) – SmartScreen Prompt Security Feature Bypass Vulnerability

While Microsoft’s advisory provides limited information about CVE-2024-26234, cybersecurity firm Sophos has shed some light on the matter. In December 2023, Sophos discovered a malicious executable signed by a valid Microsoft Windows Hardware Compatibility Publisher certificate. This executable, named “Catalog.exe” or “Catalog Authentication Client Service,” was found to contain a component called 3proxy, which acts as a backdoor, intercepting network traffic on infected systems. While the origins of this malicious file remain unclear, it underscores the importance of remaining vigilant against potential supply chain attacks.

CVE-2024-29988, on the other hand, allows attackers to bypass Microsoft Defender Smartscreen protections, posing a significant risk to users. Exploitation of this vulnerability requires convincing a user to launch malicious files using a launcher application that requests no UI be shown. Evidence of exploitation in the wild has prompted Microsoft to tag this vulnerability with an “Exploitation More Likely” assessment.

“The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability,” Adam Barnett, lead software engineer at Rapid7, said in a statement shared with The Hacker News.

“The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause. Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment.”

Another noteworthy vulnerability addressed in this update is CVE-2024-29990, an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container. This flaw could be exploited by unauthenticated attackers to steal credentials and gain unauthorized access to confidential containers, posing a serious risk to organizations leveraging Azure Kubernetes Service.

In total, this release addresses a wide range of vulnerabilities, including 68 remote code execution flaws, 31 privilege escalation flaws, 26 security feature bypass flaws, and six denial-of-service bugs. Of particular concern are the 26 security bypass flaws related to Secure Boot, highlighting the persistent challenges in securing this critical component of the boot process.

The release of these security updates comes at a critical time for Microsoft, as the company faces scrutiny for its security practices. A recent report from the U.S. Cyber Safety Review Board (CSRB) criticized Microsoft for its handling of a cyber espionage campaign orchestrated by a Chinese threat actor in 2023. In response to these concerns, Microsoft has begun publishing root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard, providing greater transparency and insight into the underlying causes of vulnerabilities.

In addition to Microsoft’s updates, other vendors have also released security patches to address various vulnerabilities. These patches are essential for maintaining the security and integrity of systems and should be applied promptly to mitigate the risk of exploitation by malicious actors.

As organizations navigate the evolving threat landscape, it’s imperative to stay informed about the latest security updates and take proactive measures to safeguard against potential threats. By prioritizing patch management and adopting a comprehensive approach to cybersecurity, organizations can effectively mitigate risk and protect against emerging threats in an increasingly digital world.

“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events,” Eric Saraga said.

Software Patches from Other Vendors#

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Adobe

AMD

Android

Apache XML Security for C++

Aruba Networks

Atos

Bosch

Cisco

D-Link

Dell

Drupal

F5

Fortinet

Fortra

GitLab

Google Chrome

Google Cloud

Google Pixel

Hikvision

Hitachi Energy

HP

HP Enterprise

HTTP/2

IBM

Ivanti

Jenkins

Lenovo

LG webOS

Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu

MediaTek

Mozilla Firefox, Firefox ESR, and Thunderbird

NETGEAR

NVIDIA

Qualcomm

Rockwell Automation

Rust

Samsung

SAP

Schneider Electric

Siemens

Splunk

Synology

VMware

WordPress, and

Zoom