Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included


Microsoft has released security updates for April 2024 to fix a record 149 vulnerabilities, two of which are actively exploited in the wild.

Of the 149 faults, three are classified as critical, 142 are classified as important, three are classified as moderate and one is classified as low in severity. The update adds to 21 vulnerabilities the company patched in its Chromium-based Edge browser following the release of March 2024 Patch Tuesday fixes.

The two loopholes that have been actively exploited are:

  • CVE-2024-26234 (CVSS score: 6.7) – Proxy Driver Impersonation Vulnerability
  • CVE-2024-29988 (CVSS score: 8.8) – SmartScreen Prompt Security Feature Bypass Vulnerability

Although Microsoft’s own advisory provides no information about CVE-2024-26234, cybersecurity firm Sophos said it discovered a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) in December 2023 signed by a Valid Microsoft Windows Hardware Compatibility Editor. (WHCP).

Authenticode analysis of the binary revealed that the original requesting publisher was Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.

The latter is described as “marketing software… (which) can connect hundreds of mobile phones and control them in batches, and automate tasks such as batch tracking, rating and feedback.”

The purported authentication service contains a component called 3proxy, designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.

“We have no evidence to suggest that LaiXi developers deliberately embedded the malicious file into their product, or that a malicious actor carried out a supply chain attack to insert it into the compile/build process of the LaiXi app,” said Andreas Klopsch, researcher at Sophos. .

The cybersecurity company also said it has discovered several other variants of the backdoor in the wild since January 5, 2023, indicating that the campaign has been ongoing at least since then. Microsoft has since added the affected files to its revocation list.

Cyber ​​security

The other security flaw reportedly under active attack is CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – allows attackers to bypass Microsoft Defender Smartscreen protections when of opening a specially designed file.

“To exploit this security feature bypass vulnerability, an attacker would have to convince a user to launch malicious files using a launcher application that requests that no user interface be displayed,” Microsoft said.

“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file to exploit the remote code execution vulnerability.”

The Zero Day Initiative revealed that there is evidence that the flaw is being exploited in the wild, although Microsoft has labeled it with an “Exploitation More Likely” rating.

Another important vulnerability is CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege vulnerability affecting the confidential container of the Microsoft Azure Kubernetes service that could be exploited by unauthenticated attackers to steal user information. identification.

“An attacker can access the untrusted AKS Kubernetes node and AKS confidential container to take control of guests and confidential containers beyond the network stack it might be linked to,” Redmond said.

In total, this release stands out for resolving 68 remote code executions, 31 privilege escalations, 26 security feature bypasses, and six denial of service (DoS) bugs. Interestingly, 24 of the 26 security bypass vulnerabilities are related to Secure Boot.

“While none of these Secure Boot vulnerabilities discussed this month have been exploited in the wild, they are a reminder that flaws in Secure Boot persist and that we may see more Secure Boot-related malicious activity in the future,” said Satnam Narang, senior manager. research engineer at Tenable, said in a statement.

The disclosure comes as Microsoft has faced criticism for its security practices, with a recent report from the US Cyber ​​Safety Review Board (CSRB) calling out the company for not doing enough to prevent an orchestrated cyberespionage campaign by a Chinese threat actor identified as Storm. -0558 last year.

This also follows the company’s decision to publish data on the root causes of security breaches using the industry standard Common Weakness Enumeration (CWE). It should be noted, however, that the changes are only effective from notices published since March 2024.

“Adding CWE assessments to Microsoft security advisories helps identify the generic root cause of a vulnerability,” said Adam Barnett, principal software engineer at Rapid7, in a statement shared with The Hacker News.

“The CWE program recently updated its guidance on mapping CVEs to a root cause of CWE. CWE trend analysis can help developers reduce future occurrences through improved cycle workflows and testing Software Development Lifecycle (SDLC), as well as helping defenders understand where to direct defense-in-depth and deployment hardening efforts for better ROI.”

In a related development, cybersecurity firm Varonis has detailed two methods attackers could adopt to bypass audit logs and avoid triggering download events when exfiltrating files from SharePoint.

The first approach takes advantage of SharePoint’s “Open in App” feature to access and download files, while the second uses the user agent for Microsoft SkyDriveSync to download files or even entire sites while miscategorizing events such as file syncs instead of downloads.

Cyber ​​security

Microsoft, which was informed of the issues in November 2023, has not yet released a patch, although they have been added to its pending patch program. In the meantime, it is recommended that organizations closely monitor their audit logs for suspicious access events, especially those that involve large volumes of file downloads over a short period of time.

“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by masking downloads as access events and less suspicious timing,” said Eric Saraga.

Software fixes from other vendors

Besides Microsoft, security updates have also been released by other vendors in recent weeks to fix several vulnerabilities, including:

Did you find this article interesting ? follow us on Twitter and LinkedIn to read more of the exclusive content we publish.

News Source :
Gn tech

Back to top button