Microsoft released its security updates for April 2024, addressing 149 security flaws, 67 of which were remote code execution (RCE) vulnerabilities.
Three of the 149 flaws were classified as critical vulnerabilities related to patches that protect against RCE attacks on Windows IoT devices.
Microsoft updated two other zero-day vulnerabilities to reflect active exploitation in the wild.
The majority of vulnerabilities patched in the update, 67 of the total 149, were related to RCE vulnerabilities in Microsoft SQL drivers, which has raised concerns among security experts.
Leonarda Granda, solution architect lead at Vicarius, said this suggests the flaws stem from a common vulnerability, noting that only three were listed as critical and warning security administrators not to be complacent in their patching procedures.
“In particular, more than half of the remote code execution flaws reside in Microsoft SQL drivers, pointing to a possible shared vulnerability. Among them, only three are considered critical and involve patches for RCE attacks on Windows devices IoT. However, this is more complex than it may seem.”
Granda described how these flaws could manifest in security incidents in a small or medium-sized business with more than 200 assets to protect, highlighting the importance of safeguarding an organization's critical systems.
“Consider a single SME that owns more than 200 assets; Every month, they must address more than 100 vulnerabilities associated with Microsoft alone,” Granda said.
“When you consider IoT devices, which are often located in remote areas and have limited visibility to IT administrators, it becomes even easier for a hacker to find a single vulnerability in these exposed assets with just a simple query. Shodan.”
“This security update from Microsoft serves as a reminder that protecting IoT devices from attacks is absolutely critical to protecting user privacy. “The top priority at this time is to ensure the security of critical systems and maintain the integrity of networks and data.”
Microsoft updates two zero-day attacks exploited in the wild
Microsoft had to update its entries for two zero-day vulnerabilities that were initially listed as not actively exploited after threat researchers from Trend Micro and Sophos shared evidence demonstrating exploitation.
The vulnerabilities in question, CVE-2024-26234 and CVE-2024-29988, are classified as medium and high severity respectively, with scores of 6.7 and 8.8 in the CVSS rating of the National Vulnerability Database.
CVE-2024-26234 is a proxy driver spoofing vulnerability involving a malicious executable file signed with a Microsoft hardware publisher certificate.
TO Blog Detailing the Sophos X-Ops CVE, it is stated that the driver was first discovered in December 2023 and researchers discovered that the file attempted to imitate global IT company Thales Group.
Sophos said the file was originally included in mobile software called LaiXi used for screen mirroring on Android devices, and claimed its researchers were confident the file was a malicious backdoor.
Meanwhile, CVE-2024-29988 is a SmartScreen security feature that prevents the vulnerability that, if exploited, could allow attackers to bypass Microsoft Defender's SmartScreen defenses.
A researcher at Trend Micro's Zero Day Institute (ZDI) reportedly found that the vulnerability was being exploited in the wild, despite Microsoft initially stating that the flaw was not under active exploitation.
Dustin Childs, head of threat awareness at ZDI, said the flaw behaves very similar to another SmartScreen vulnerability disclosed in February 2024, in a Blog post summarizing April security updates.
“The bug itself acts very similar to CVE-2024-21412: it bypasses the Marking of the Web (MotW) feature and allows malware to execute on a target system. “Threat actors send exploits in a compressed file to evade EDR/NDR detection and then use this bug (and others) to avoid MotW.”
