April’s Patch Tuesday was a record-breaker for Microsoft, with the software program big releasing patches for 147 vulnerabilities — greater than researchers can recall ever seeing beforehand in a single month.
Whereas the large dump of fixes has the potential to maintain safety groups busy, solely three of the issues to be patched had been rated as vital, and there have been clusters of patches associated to the identical merchandise.
This month’s listing initially appeared to comprise no zero-day vulnerabilities, however researchers had been fast to appropriate this — declaring to Microsoft that two of the bugs they mounted had been actively exploited.
Tenable senior employees analysis engineer Satnam Narang mentioned the earlier document for essentially the most vulnerabilities patched in a month was in July 2023, when Microsoft addressed 130 CVEs.
The final time there have been over 100 CVEs patched was October 2023, when Microsoft addressed 103.
Two exploited bugs patched
One of many zero-day vulnerabilities patched this month was a SmartScreen Immediate safety characteristic bypass flaw, tracked as CVE-2024-29988. SmartScreen is a popup characteristic that warns customers about working unknown recordsdata.
Dustin Childs of the Zero Day Initiative (ZDI) mentioned in a submit that the bug was discovered within the wild and reported by ZDI risk hunter Peter Girnus.
“We have now proof that is being exploited within the wild, and I’m itemizing it as such,” Childs mentioned.
“The bug itself acts very similar to CVE-2024-21412 (which Microsoft patched in February) – it bypasses the Mark of the Internet (MotW) characteristic and permits malware to execute on a goal system.”
The opposite vulnerability already exploited within the wild was a proxy driver spoofing vulnerability (CVE-2024-26234) found by Sophos X-Ops.
Three vital bugs in Defender for IoT
All three patches for flaws rated as vital on this month’s listing had been distant code execution vulnerabilities associated to Microsoft Defender for IoT: CVE-2024-21322, CVE-2024-21323 and CVE-2024-29054.
“An authenticated attacker with file add privileges may get arbitrary code execution by a path traversal vulnerability,” Childs mentioned.
“They would wish to add specifically crafted recordsdata to delicate areas on the goal. It’s not clear how doubtless this is able to be, however something that targets your defensive instruments needs to be taken severely.”
A number of SQL Server and Safe Boot flaws patched
One issue contributing to the document variety of patches mounted this month was that 40 had been associated to the identical product: Microsoft SQL Server.
All 40 got a “comparatively excessive” CVSS rating of 8.8, however had been additionally listed by Microsoft as “Exploitation much less doubtless,” mentioned Immersive Labs senior director risk analysis Kev Breen.
“The primary challenge is with the Purchasers used to hook up with an SQL server, not the server itself,” he mentioned.
“[The less-likely exploitation rating] is probably because of the social engineering required by an attacker to use them. All of the reported vulnerabilities comply with an identical sample: for an attacker to achieve code execution, they have to persuade an authenticated person inside a company to hook up with a distant SQL server the attacker controls. Whereas not not possible, that is unlikely to be exploited at scale by attackers.”
Microsoft addressed 24 vulnerabilities in Home windows Safe Boot — a characteristic designed to dam malware with the ability to load when a machine is booting up. Whereas the bulk had been rated “Exploitation much less doubtless,” they had been nonetheless noteworthy, in response to Narang.
He identified that the final time Microsoft patched a Safe Boot Flaw (CVE-2023-24932), in Could 2023, it was subsequently exploited within the wild and linked to BlackLotus UEFI bootkit malware.
“Whereas none of those Safe Boot vulnerabilities addressed this month had been exploited within the wild, they function a reminder that flaws in Safe Boot persist, and we may see extra malicious exercise associated to Safe Boot sooner or later,” Narang mentioned.
