Microsoft has released the latest Patch Tuesday update, addressing a large number of vulnerabilities across various products and services. The Microsoft Patch Tuesday April 2024 encompasses a total of 147 new Microsoft CVEs, marking a notable increase compared to previous months.
For the second consecutive month, Microsoft highlights that there have been no prior public disclosures or instances of exploitation in the wild for any of the vulnerabilities addressed in this update. However, it’s essential to note that after the initial release, Microsoft updated the advisory for CVE-2024-26234 to acknowledge in-the-wild exploitation and public disclosure of the exploit.
Among the vulnerabilities addressed, only three are classified as critical under Microsoft’s proprietary severity scale. Notably, five browser vulnerabilities have been published separately this month and are not included in the total count.
Microsoft Patch Tuesday April 2024: All Major Vulnerabilities and Fixes
This Patch Tuesday release prioritizes the mitigation of critical vulnerabilities, underlining the urgency for users to promptly install the provided patches. Looking at the total count of vulnerabilities, the severity of the addressed issues demands immediate attention and action.
In a conversation with TCE, Satnam Narang, Senior Staff Research Engineer, Tenable, shared insights into the CVE’s reported in this year’s Patch Tuesday. Talking about the rise of the total number of CVE’s, Narang said, “Microsoft patched 147 CVEs in April, the largest number of CVEs patched in a month since we began tracking this data in 2017. The last time there were over 100 CVEs patched was October 2023, when Microsoft addressed 103 CVEs.
Talking about Windows Secure Boot (CVE-2023-24932), Narang, stated that the vulnerability had a “notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000.” This bootkit has the ability to circumvent Secure Boot, a feature intended to prevent malware from loading during the boot-up process.
Moreover, since 2024, only two zero-day vulnerabilities have been exploited, a significant decrease compared to the seven seen at this time last year. The reasons behind this decline remain unclear, prompting speculation about attacker tactics and visibility issues. Additionally, this month’s release tackles 24 vulnerabilities in Windows Secure Boot, with most deemed “Exploitation Less Likely”.
Windows Proxy Driver Vulnerability: CVE-2024-26234
CVE-2024-26234, a zero-day spoofing vulnerability in the Windows Proxy Driver, was initially disclosed without Microsoft’s acknowledgment of in-the-wild exploitation or public exploit disclosure.
However, Microsoft later updated the advisory on the same day of publication to recognize both instances. The advisory lacks detailed information about the exploit but highlights it as a proxy spoofing vulnerability.
Patches for supported Windows versions are available to address this issue.
Defender for IoT Critical RCEs Vulnerability: CVE-2024-21322, CVE-2024-21323, and CVE-2024-29053
Microsoft Defender for IoT addresses three critical remote code execution (RCE) vulnerabilities. The advisory for CVE-2024-21322 mentions that exploitation requires existing administrative access to the web application, limiting the attacker’s value in isolation.
CVE-2024-21323 involves an update-based attack, requiring prior authentication, which could lead to the installation of malicious update packages. CVE-2024-29053 enables arbitrary file upload for authenticated users, exploiting a path traversal weakness.
The release notes for Defender for IoT 24.1.3 omit these security fixes, emphasizing the importance of timely patching.
SharePoint XSS Spoofing: CVE-2024-26251
SharePoint Server 2016, 2019, and Subscription Editions are patched for CVE-2024-26251, addressing a spoofing vulnerability exploiting cross-site scripting (XSS).
While Microsoft possesses mature exploit code, exploitation is deemed less likely due to the necessity of meeting multiple conditions, including user actions, token impersonation, and specific application configurations.
Excel Arbitrary File Execution: CVE-2024-26257
Microsoft addresses a single Office vulnerability, CVE-2024-26257, which exposes a remote code execution (RCE) risk in Excel. Exploitation necessitates the user opening a specially crafted malicious file.
Immediate patches are available for Windows-based click-to-run (C2R) Office deployments and Microsoft 365 Apps for Enterprise.
However, as is not uncommon, a patch for Office for Mac is currently unavailable and will be released at an unspecified future date.
SQL Server OLE DB Driver RCEs
The Microsoft OLE DB Driver for SQL Server receives patches for a staggering 38 separate remote code execution (RCE) vulnerabilities, possibly setting a record for a single component.
These vulnerabilities share a common theme: attackers could exploit them by deceiving users into connecting to a malicious SQL server, resulting in code execution within the client’s context.
Microsoft Patch Tuesday April 2024: Enhancements and Lifecycle Updates
Microsoft enhances transparency in vulnerability reporting by introducing two new data points on advisories: Common Weakness Enumeration (CWE) and Vector String Source assessments. This shift aims to provide clearer insights into the nature and source of vulnerabilities addressed.
By adopting CWE as a standard for Microsoft CVEs, the company aims to facilitate more effective discussions about finding and mitigating weaknesses in software and hardware. This initiative aligns with Microsoft’s Secure Future Initiative (SFI) goals and emphasizes the importance of systematic understanding and mitigation of vulnerabilities.
Additionally, several Microsoft products, including Azure DevOps Server 2019, System Center 2019, and Visual Studio 2019, have moved past the end of mainstream support, highlighting the need for users to upgrade to supported versions for continued security updates and support.
Other Noteworthy Vulnerabilities
Apart from the above-mentioned vulnerabilities, Microsoft Patch Tuesday April 2024 fixes other critical vulnerabilities, including vulnerabilities that were previously rumored to be exploited in the wild. The Windows DNS Server Remote Code Execution Vulnerability, SmartScreen Prompt Security Feature Bypass Vulnerability, and Windows Spoofing Vulnerability are some of the main highlights of this year’s Microsoft Patch Tuesday.
CVE-2024-26221
CVE-2024-26221 is a Windows DNS Server Remote Code Execution Vulnerability. This vulnerability enables remote code execution on affected DNS servers when the attacker possesses the necessary privileges to query the server.
Successful exploitation relies on the precise timing of DNS queries, allowing the attacker to execute arbitrary code on the target server. While not explicitly stated, code execution likely occurs at the elevated level of the DNS service.
CVE-2024-20670
Outlook for Windows Spoofing Vulnerability is categorized as a spoofing bug, yet its exploitation leads to information disclosure, specifically NTLM hashes. This information could be exploited for spoofing targeted users.
Activation of this vulnerability requires user interaction, such as clicking on an email element, with the Preview Pane deemed safe.
Given Outlook’s extensive user base, threat actors may target this vulnerability in the future, especially considering recent NTLM relaying bugs.
CVE-2024-20678
Remote Procedure Call (RPC) Runtime Remote Code Execution Vulnerability, draws attention due to the long history of RPC exploits observed in the wild.
Although authentication is necessary, elevated permissions are not required, allowing any authenticated user to exploit it. However, it remains unclear if Guest or anonymous users can trigger this vulnerability.
Approximately 1.3 million systems with TCP port 135 exposed to the internet potentially face exploitation.
CVE-2024-29988
Identified as a SmartScreen Prompt Security Feature Bypass Vulnerability, the CVE-2024-29988 presents a peculiar case as it was discovered by a ZDI threat researcher in the wild, despite Microsoft not listing it as exploited.
The vulnerability resembles CVE-2024-21412, circumventing the Mark of the Web (MotW) feature to enable malware execution on a system. Threat actors exploit this by distributing exploits within zipped files to evade detection by EDR/NDR systems, leveraging this bug to bypass MotW restrictions.
Non-Microsoft CVEs
Microsoft is reissuing six non-Microsoft CVEs, originally issued by different entities. These include CVE-2022-0001 from Intel Corporation and three CVEs related to Windows Secure Boot from Lenovo: CVE-2024-23593, and CVE-2024-23594.
| CNA | Tag | CVE | FAQs? | Workarounds? | Mitigations? |
| Intel Corporation | Intel | CVE-2022-0001 | Yes | No | No |
| Lenovo | Windows Secure Boot | CVE-2024-23593 | Yes | No | No |
| Lenovo | Windows Secure Boot | CVE-2024-23594 | Yes | No | No |
| Chrome | Microsoft Edge (Chromium-based) | CVE-2024-3156 | Yes | No | No |
| Chrome | Microsoft Edge (Chromium-based) | CVE-2024-3158 | Yes | No | No |
| Chrome | Microsoft Edge (Chromium-based) | CVE-2024-3159 | Yes | No | No |
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
