On Patch Tuesday on April 9, 2024, Microsoft provided several security updates to fix 147 vulnerabilities. Microsoft classifies three vulnerabilities in Microsoft Defender for IoT as critical and classifies all but two of the other vulnerabilities as high risk. According to Microsoft, none of the vulnerabilities have been exploited for attacks to date. However, this could change at any time. Trend Micro has also spotted ZDI exploit code in the wild.
Microsoft offers sparse details on the vulnerabilities for self-searching in its security update guide. Dustin Childs presents the topic of Update Tuesday much more clearly in the Trend Micro ZDI blog – always with an eye on admins who manage corporate networks. According to Dustin Childs, he doesn’t remember Microsoft ever patching as many security vulnerabilities in one month as it did this April.
The most important security vulnerabilities on Patch Day in April
| CVE | vulnerable software | Severity | Impact | exploited | known in advance |
|---|---|---|---|---|---|
| CVE-2024-29988 | Windows smart screen | high | SFB | yes (?) | no |
| CVE-2024-26257 | Office | high | RCE | no | no |
| CVE-2024-28925 and others | Windows, Secure Boot | high | SFB | no | no |
| CVE-2024-26221 and others | Windows, DNS | high | RCE | no | no |
SFB: Security Feature Bypass
The large number of vulnerabilities patched in April is due not least to a number of RCE (Remote Code Execution) vulnerabilities in the OLE DB driver for SQL Server (38), DHCP and DNS servers (9) and SFB vulnerabilities in Secure Boot (24). Although the updates for Secure Boot fix the errors, they still need to be activated with additional steps (KB5025885).
Browser updates
The latest security update for Edge is version 123.0.2420.81 from 4 April. It is based on Chromium 123.0.6312.106 and fixes several vulnerabilities in the Chromium base. The Microsoft developers have also fixed two Edge-specific security vulnerabilities.
Office vulnerabilities
Microsoft has closed two gaps in the products of its Office family, both of which are labelled as high risk. These include CVE-2024-26257, an RCE vulnerability in Excel. This affects Microsoft 365 Apps for Business and Office LTSC for Mac 2021 – Office for Mac traditionally receives security updates with some delay. The second vulnerability is a spoofing vulnerability (CVE-2024-26251) in Sharepoint Server. In addition, CVE-2024-20670 is a spoofing vulnerability in Outlook for Windows.
Vulnerabilities in Windows
The majority of the vulnerabilities, 91 this time, are spread across the various Windows versions (10 and newer as well as Server) for which Microsoft still offers security updates for all. Although Windows 7 and 8.1 are no longer mentioned in the security reports, they could still be vulnerable. If the system requirements allow it, you should switch to Windows 10 (22H2) or Windows 11 to continue receiving security updates.
0-day exploit in Windows or not?
In Microsoft’s information on the current Update Tuesday, there is no indication that any of the patched vulnerabilities are already being used in attacks or that exploit code for any of the vulnerabilities is in circulation. However, Dustin Childs notes in the ZDI blog that exploits for a vulnerability discovered by his colleague Peter Girrus have indeed been spotted in the wild.
This concerns the SFB (Security Feature Bypass) vulnerability CVE-2024-29988 in the Smart Screen Filter. It is similar to the vulnerability CVE-2024-21412 from February, which was exploited by the APT group Water Hydra (also known as Dark Casino) to inject malware. Exploitation of such a vulnerability means that Windows Defender does not mark a file downloaded from the Internet with the “Mark-of-the-Web” (MotW) attribute and therefore does not warn against opening the (potentially unsafe) file. This is therefore called a security feature bypass.
Critical IoT vulnerabilities
Microsoft only classifies three RCE vulnerabilities in Microsoft Defender for IoT (Internet of Things or Smart Home) as critical. These are supplemented by three EoP (Elevation of Privilege) vulnerabilities. It remains unclear how likely such an attack is at this point. However, you should take every possible attack on your lines of defense seriously.
Further reading: The best antivirus software we’ve tested
This article was translated from German to English and originally appeared on pcwelt.de.
