If only Patch Tuesdays happened rarely – like a rare total solar eclipse – instead of just creeping up on us every month like The Man in the Moon. Although, to be honest, it would be difficult for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch – a record 147 flaws in the Windows and associated software.
Yes, you read that right. Microsoft today released updates to fix 147 security vulnerabilities in Windows, Desk, Azure, .NET framework, Visual Studio, SQL server, DNS server, Windows Defender, BitlockerAnd Windows Secure Boot.
“This is Microsoft’s biggest release this year and the biggest since at least 2017,” said Dustin ChildsSince Trend Micro Zero Day Initiative (ZDI). “As far as I know, this is Microsoft’s biggest Patch Tuesday release ever.”
The average severity of most bugs tempers the volume of this month’s fixes. Only three of April’s vulnerabilities earned Microsoft’s highest “critical” rating, meaning they can be exploited by malware or malcontents to take remote control of unpatched systems without assistance. users.
Most of the flaws that Microsoft deems “most likely to be exploited” this month are marked as “important”, and generally involve bugs that require a little more user interaction (social engineering) but which can may nevertheless result in system security circumvention, compromise, and theft of critical assets.
Ben McCarthysenior cybersecurity engineer at Immersive laboratories drew attention to CVE-2024-20670, a Outlook for Windows Identity theft vulnerability described as easy to exploit. This involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as a user in another Microsoft service.
Another interesting bug reported by McCarthy is CVE-2024-29063, which involves hardcoded credentials in Azure’s search backend infrastructure that could be gleaned by leveraging Azure AI research.
“This, along with many other recent AI attacks, shows a potential new attack surface that we are just learning to mitigate against,” McCarthy said. “Microsoft has updated its backend and notified all affected customers about the credentials leak.”
CVE-2024-29988 is a weakness that allows attackers to bypass Windows Smart Display, a technology designed by Microsoft to provide additional protections to end users against phishing and malware attacks. Childs said a ZDI researcher discovered that this vulnerability was being exploited in the wild, although Microsoft does not currently list CVE-2024-29988 as being exploited.
“I would treat this as nature until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a (zero-day threat from February) that bypassed the Mark of the Web functionality and allowed malware to run on a target system. Malicious actors send exploits in a compressed file to evade EDR/NDR detection, then use this bug (and others) to bypass Mark of the Web.
Updated, 7:46 p.m. ET: A previous version of this story stated that no zero-day vulnerabilities had been patched this month. BleepingComputer reports that Microsoft has since confirmed that there are in fact two zero days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.
Satnam Narang has Defensible notes that this month’s release includes fixes for two dozen flaws in Windows Secure Bootthe majority of which are considered “less likely exploitation” according to Microsoft.
“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023, it had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI Boot Kit, sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass a feature called Secure Boot, which is designed to prevent malware from loading during startup. While none of these Secure Boot vulnerabilities discussed this month have been exploited in the wild, they are a reminder that flaws in Secure Boot persist and that we may see more Secure Boot-related malicious activity in the future. future.
For links to individual security advisories indexed by severity, see the ZDI blog and the SANS Internet Storm Center’s Patch Tuesday publication. Please consider backing up your data or drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.
Adobe today released nine patches addressing at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Trade, InDesign, Experience Manager, Media encoder, Bridge, IllustratorAnd Adobe Animate.
KrebsOnSecurity needs to correct a point mentioned in the “Fat Patch Tuesday” post from late March, which examined new AI capabilities built into Adobe Acrobat which are enabled by default. Adobe has since clarified that its apps will not use AI to automatically analyze your documents, as the original language of its FAQ suggested.
“In practice, no document scanning or analysis takes place unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or the generative summary buttons for that specific document,” Adobe said earlier this month.
News Source : krebsonsecurity.com
Gn tech
