Two Zero-Days Fixed In Microsoft's Patch Tuesday Update
But no Exchange fixes this month
Microsoft's April 2024 Patch Tuesday fixes a total of 150 security flaws, including 67 remote code execution bugs and two zero-days. Unusually, though, there were no patches for Microsoft Exchange this month.
While it was another relatively quiet month for critical bugs, the update still contains plenty of issues for security teams to address.
Microsoft has issued patches for three critical remote code execution vulnerabilities (CVE-2024-29053, CVE-2024-21323 and CVE-2024-21322) in Defender for IoT, its Azure-based monitoring service for IoT and operational technology (OT) devices, as well as for three additional glitches classified as "important". According to Adam Barnett, lead software engineer at Rapid7, "the advisory for CVE-2024-21322 is light on detail, but notes that exploitation requires the attacker to have existing administrative access to the Defender for IoT web application; this limits the attacker value in isolation, although the potential for insider threat or use as part of an exploit chain remains."
SharePoint received a patch for CVE-2024-26251, addressing a spoofing vulnerability that abuses cross-site scripting. This vulnerability affects SharePoint Server 2016, 2019 and Subscription Edition. However, according to Barnett, the vulnerability is not easily exploited. "Exploitation requires multiple conditions to be met, including but not limited to a reliance on user actions, token impersonation, and specific application configuration."
The Microsoft OLE DB Driver for SQL Server receives patches for no fewer than 38 separate remote code execution (RCE) vulnerabilities, likely based on a common factor. "While at first glance, it may appear that Microsoft has called out a large number of vulnerabilities in its latest notes, 40 of them are all related to the same product – Microsoft SQL Server. The main issue is with the clients used to connect to an SQL server, not the server itself," said Kev Breen, senior director of threat research at Immersive Labs. "Despite the relatively high CVSS score of 8.8 these are all listed by Microsoft as 'exploitation less likely.' This is most likely due to the social engineering required by an attacker to exploit them."
Security teams looking for signs of exploitation should check for unusual SQL connection attempts from clients or block outbound connections except to trusted servers, he advised.
The update also includes a patch for CVE-2024-26257, a RCE vulnerability in Microsoft Excel. Attackers could exploit this vulnerability by sending a malicious Excel document to a user, according to Ben McCarthy, lead cyber security engineer at Immersive Labs, who emphasized the urgency of applying this fix. "This sort of vulnerability we see time and time again needs to be quickly patched by any company that uses Microsoft Office and especially Excel."
This month's Patch Tuesday update also contains fixes for 26 Secure Boot bypasses, including two from Lenovo. In addition, teams should "review their organization's response to the Secure Boot Security Feature Bypass (CVE-2023-24932) to ensure the newly added OS versions and previous versions are fully mitigated," according to Chris Goettl, VP of security products at Ivanti.
Satnam Narang, senior staff research engineer at Tenable, added: "While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future."
Perhaps the most urgent update is one to Windows Proxy Driver, which patches a zero-day vulnerability (CVE-2024-26234). Goettl recommends prioritizing this update, stating, "The Windows OS update includes a zero-day that has been publicly disclosed. This puts the OS update this month to the top of your priority list!"
The second zero-day fixed this month was CVE-2024-29988, a Microsoft Defender SmartScreen vulnerability which allows malicious attachments to bypass warnings when the file is opened.
"Exploitation is described as 'more likely' for this vulnerability, and that is because any attackers that utilize file download as part of their attack techniques for gaining initial access will want to find ways to bypass the security features such as SmartScreen," noted McCarthy.
This article originally appeared on our sister site Computing.