Microsoft has released security updates for the month of April 2024 to fix a record number of 149 flaws, two of which were actively exploited in the wild.
Of the 149 defects, three are classified as critical, 142 as major, three as moderate, and one as low severity. The update excludes 21 vulnerabilities that the company fixed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.
The two shortcomings that have been actively exploited are listed below:
- CVE-2024-26234 (CVSS Score: 6.7) – Proxy driver spoofing vulnerability
- CVE-2024-29988 (CVSS Score: 8.8) – SmartScreen Prompt Security Feature Bypass Vulnerability
While Microsoft’s advisory does not provide information about CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) signed by a valid certified Microsoft Windows Hardware Compatibility Publisher (WHCP).
Authenticode analysis of the binary revealed that the original requesting publisher is Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.
The latter is described as “a marketing software… [that] can connect hundreds of mobile phones and control them in batches and automate tasks such as batch following, liking and commenting.”
Inside the alleged authentication service is a component called 3proxy designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.
“We have no evidence to suggest that LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the LaiXi application build/build process,” he said. said Sophos researcher Andreas Klopsch. .
The cybersecurity firm also said it discovered numerous other backdoor variants in circulation dating back to January 5, 2023, indicating that the campaign has been ongoing at least since then. Microsoft has since added the relevant files to its revocation list.
The other security flaw that is reportedly being actively attacked is CVE-2024-29988, which, like CVE-2024-21412 and CVE-2023-36025, allows attackers to bypass Microsoft Defender Smartscreen protections when opening a specially prepared file.
“To exploit this security feature to bypass the vulnerability, an attacker would have to convince a user to launch malicious files using a startup application that requires no user interface to be shown,” Microsoft said.
“In an email or instant message attack scenario, an attacker could send the targeted user a specially crafted file designed to exploit the remote code execution vulnerability.”
The Zero Day Initiative revealed that there is evidence that the flaw is being exploited en masse, although Microsoft has labeled it with an “Exploitation More Likely” rating.
Another notable vulnerability is CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege flaw affecting the Microsoft Azure Kubernetes Service confidential container that could be exploited by unauthenticated attackers to steal credentials.
“An attacker can gain access to the untrusted AKS Kubernetes node and AKS Confidential container to take control of guests and confidential containers beyond the network stack to which it may be bound,” Redmond said.
Overall, the release is notable for fixing up to 68 remote code executions, 31 privilege escalations, 26 security feature bypasses, and six Denial-of-Service (DoS) bugs. Interestingly, 24 of the 26 security bypass flaws are related to Secure Boot.
“While none of these Secure Boot vulnerabilities addressed this month have been exploited in the wild, they serve as a reminder that flaws in Secure Boot persist and that we may see more malicious activity related to Secure Boot in the future,” Satnam Narang, senior staff research engineer at Tenable, it said in a statement.
The disclosure comes as Microsoft has faced criticism for its security practices, with a recent report from the US Cyber Safety Review Board (CSRB) calling out the company for not doing enough to prevent a cyber espionage campaign orchestrated by a Chinese threat actor identified as Storm -0558 last year.
This also follows the company’s decision to publish data on the root causes of security flaws using the industry standard Common Weakness Enumeration (CWE). However, it is worth noting that the changes only come into effect from notices published from March 2024.
“Adding CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability,” said Adam Barnett, lead software engineer at Rapid7, in a statement shared with The Hacker News.
“The CWE program recently updated its guidance on mapping CVEs to a CWE root cause. CWE trend analysis can help developers mitigate future events through improved software development lifecycle testing and workflows (SDLC), as well as helping defenders understand where to direct defense-in-depth and distribution hardening efforts for the best return on investment.”
In a related development, cybersecurity firm Varonis detailed two methods attackers could employ to bypass audit logs and avoid triggering download events when exfiltrating files from SharePoint.
The first approach takes advantage of SharePoint’s “Open in App” feature to access and download files, while the second uses the User Agent for Microsoft SkyDriveSync to download files or even entire sites by misclassifying such events as file syncs rather than downloads.
Microsoft, which was made aware of the problems in November 2023, has not yet released a fix, although it has been added to its patch backlog. In the meantime, organizations are advised to carefully monitor their audit logs for suspicious access events, especially those involving large volumes of file downloads over a short period.
“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious login and sync events,” he said. stated Eric Saraga.
Software patches from other vendors
In addition to Microsoft, security updates from other vendors have also been released in recent weeks to fix several vulnerabilities, including: