Login
Microsoft today released updates to fix at least 90 security vulnerabilities in Windows and related software, including a whopping six zero-day flaws that are already being actively exploited by attackers.
Image: Shutterstock.
This monthโs bundle of update joy from Redmond includes patches for security holes in Office, .NET, Visual Studio, Azure, Co-Pilot, Microsoft Dynamics, Teams, Secure Boot, and of course Windows itself. Of the six zero-day weaknesses Microsoft addressed this month, half are local privilege escalation vulnerabilities โ meaning they are primarily useful for attackers when combined with other flaws or access.
CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 all allow an attacker to gain SYSTEM level privileges on a vulnerable machine, although the vulnerabilities reside in different parts of the Windows operating system.
Microsoftโs advisories include little information about the last two privilege escalation flaws, other than to note they are being actively exploited. Microsoft says CVE-2024-38106 exists in the Windows Kernel and is being actively exploited, but that it has a high โattack complexity,โ meaning it can be tricky for malware or miscreants to exploit reliably.
โMicrosoft lists exploit complexity as high due to the attacker needing to win a race condition,โ Trend Microโs ZeroDay Initiative (ZDI) noted. โHowever, some races are easier to run than others. Itโs times like this where the CVSS can be misleading. Race conditions do lead to complexity high in the CVSS score, but with attacks in the wild, itโs clear this bug is readily exploitable.โ
Another zero-day this month is CVE-2024-38178, a remote code execution flaw that exists when the built-in Windows Edge browser is operating in โInternet Explorer Mode.โ IE mode is not on by default in Edge, but it can be enabled to work with older websites or applications that arenโt supported by modern Chromium-based browsers.
โWhile this is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration,โ wrote Kev Breen, senior director of threat research at Immersive Labs.
CVE-2024-38213 is a zero-day flaw that allows malware to bypass the โMark of the Web,โ a security feature in Windows that marks files downloaded from the Internet as untrusted (this Windows Smartscreen feature is responsible for the โWindows protected your PCโ popup that appears when opening files downloaded from the Web).
โThis vulnerability is not exploitable on its own and is typically seen as part of an exploit chain, for example, modifying a malicious document or exe file to include this bypass before sending the file via email or distributing on compromised websites,โ Breen said.
The final zero-day this month is CVE-2024-38189, a remote code execution flaw in Microsoft Project. However, Microsoft and multiple security firms point out that this vulnerability only works on customers who have already disabled notifications about the security risks of running VBA Macros in Microsoft Project (not the best idea, as malware has a long history of hiding within malicious Office Macros).
Separately, Adobe today released 11 security bulletins addressing at least 71 security vulnerabilities across a range of products, including Adobe Illustrator, Dimension, Photoshop, InDesign, Acrobat and Reader, Bridge, Substance 3D Stager, Commerce, InCopy, and Substance 3D Sampler/Substance 3D Designer. Adobe says it is not aware of active exploitation against any of the flaws it fixed this week.
Itโs a good idea for Windows users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesnโt mean you have to install them on Patch Tuesday each month. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. Itโs also smart to back up your data and/or image your Windows drive before applying new updates.
For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out theย SANS Internet Storm Centerโs list. For those admins responsible for maintaining larger Windows environments, it pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.
If only Patch Tuesdays came around infrequently โ like total solar eclipse rare โ instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this monthโs patch batch โ a record 147 flaws in Windows and related software.
Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.
โThis is the largest release from Microsoft this year and the largest since at least 2017,โ said Dustin Childs, from Trend Microโs Zero Day Initiative (ZDI). โAs far as I can tell, itโs the largest Patch Tuesday release from Microsoft of all time.โ
Tempering the sheer volume of this monthโs patches is the middling severity of many of the bugs. Only three of Aprilโs vulnerabilities earned Microsoftโs most-dire โcriticalโ rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.
Most of the flaws that Microsoft deems โmore likely to be exploitedโ this month are marked as โimportant,โ which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.
Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the userโs password hash and authenticate as the user in another Microsoft service.
Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azureโs search backend infrastructure that could be gleaned by taking advantage of Azure AI search.
โThis along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,โ McCarthy said. โMicrosoft has updated their backend and notified any customers who have been affected by the credential leakage.โ
CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDIโs researchers found this vulnerability being exploited in the wild, although Microsoft doesnโt currently list CVE-2024-29988 as being exploited.
โI would treat this as in the wild until Microsoft clarifies,โ Childs said. โThe bug itself acts much like CVE-2024-21412 โ a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.โ
Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a โproxy driver spoofingโ weakness.
Satnam Narang at Tenable notes that this monthโs release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered โExploitation Less Likelyโ according to Microsoft.
โHowever, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,โ Narang said. โBlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.โ
For links to individual security advisories indexed by severity, check out ZDIโs blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.
Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.
KrebsOnSecurity needs to correct the record on a point mentioned at the end of Marchโs โFat Patch Tuesdayโ post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps wonโt use AI to auto-scan your documents, as the original language in its FAQ suggested.
โIn practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,โ Adobe said earlier this month.
Article tags
FreshRSS