Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included

Cyber Security

Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild.

Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update is aside from 21 vulnerabilities that the company addressed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.

The two shortcomings that have come under active exploitation are below –

  • CVE-2024-26234 (CVSS score: 6.7) – Proxy Driver Spoofing Vulnerability
  • CVE-2024-29988 (CVSS score: 8.8) – SmartScreen Prompt Security Feature Bypass Vulnerability

While Microsoft’s own advisory provides no information about CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) that’s signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate.

Authenticode analysis of the binary has revealed the original requesting publisher to Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.

The latter is described as “a marketing software … [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.”

Present within the purported authentication service is a component called 3proxy that’s designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.

“We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,” Sophos researcher Andreas Klopsch said.

The cybersecurity company also said it discovered multiple other variants of the backdoor in the wild going all the way back to January 5, 2023, indicating that the campaign has been underway at least since then. Microsoft has since added the relevant files to its revocation list.

The other security flaw that has reportedly come under active attack is CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – allows attackers to sidestep Microsoft Defender Smartscreen protections when opening a specially crafted file.

“To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown,” Microsoft said.

“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability.”

The Zero Day Initiative revealed that there is evidence of the flaw being exploited in the wild, although Microsoft has tagged it with an “Exploitation More Likely” assessment.

Another vulnerability of importance is CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container that could be exploited by unauthenticated attackers to steal credentials.

“An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to,” Redmond said.

In all, the release is notable for addressing as many as 68 remote code execution, 31 privilege escalation, 26 security feature bypass, and six denial-of-service (DoS) bugs. Interestingly, 24 of the 26 security bypass flaws are related to Secure Boot.

“While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future,” Satnam Narang, senior staff research engineer at Tenable, said in a statement.

The disclosure comes as Microsoft has faced criticism for its security practices, with a recent report from the U.S. Cyber Safety Review Board (CSRB) calling out the company for not doing enough to prevent a cyber espionage campaign orchestrated by a Chinese threat actor tracked as Storm-0558 last year.

It also follows the company’s decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard. However, it’s worth noting that the changes are only in effect starting from advisories published since March 2024.

“The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability,” Adam Barnett, lead software engineer at Rapid7, said in a statement shared with The Hacker News.

“The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause. Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment.”

In a related development, cybersecurity firm Varonis detailed two methods that attackers could adopt to circumvent audit logs and avoid triggering download events while exfiltrating files from SharePoint.

The first approach takes advantage of SharePoint’s “Open in App” feature to access and download files, whereas the second uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while miscategorizing such events as file syncs instead of downloads.

Microsoft, which was made aware of the issues in November 2023, has yet to release a fix, although they have been added to their patch backlog program. In the interim, organizations are recommended to closely monitor their audit logs for suspicious access events, specifically those that involve large volumes of file downloads within a short period.

“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events,” Eric Saraga said.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.