Microsoft has launched safety updates for the month of April 2024 to remediate a file 149 flaws, two of which have come below energetic exploitation within the wild.
Of the 149 flaws, three are rated Important, 142 are rated Vital, three are rated Reasonable, and one is rated Low in severity. The replace is apart from 21 vulnerabilities that the corporate addressed in its Chromium-based Edge browser following the discharge of the March 2024 Patch Tuesday fixes.
The 2 shortcomings which have come below energetic exploitation are beneath –
- CVE-2024-26234 (CVSS rating: 6.7) – Proxy Driver Spoofing Vulnerability
- CVE-2024-29988 (CVSS rating: 8.8) – SmartScreen Immediate Safety Characteristic Bypass Vulnerability
Whereas Microsoft’s personal advisory gives no details about CVE-2024-26234, cybersecurity agency Sophos mentioned it found in December 2023 a malicious executable (“Catalog.exe” or “Catalog Authentication Consumer Service”) that is signed by a sound Microsoft Home windows {Hardware} Compatibility Writer (WHCP) certificates.
Authenticode evaluation of the binary has revealed the unique requesting writer to Hainan YouHu Know-how Co. Ltd, which can be the writer of one other software known as LaiXi Android Display screen Mirroring.
The latter is described as “a advertising and marketing software program … [that] can join a whole bunch of cellphones and management them in batches, and automate duties like batch following, liking, and commenting.”
Current inside the purported authentication service is a element known as 3proxy that is designed to observe and intercept community site visitors on an contaminated system, successfully performing as a backdoor.
“We’ve got no proof to counsel that the LaiXi builders intentionally embedded the malicious file into their product, or {that a} risk actor performed a provide chain assault to insert it into the compilation/constructing technique of the LaiXi utility,” Sophos researcher Andreas Klopsch mentioned.
The cybersecurity firm additionally mentioned it found a number of different variants of the backdoor within the wild going all the way in which again to January 5, 2023, indicating that the marketing campaign has been underway a minimum of since then. Microsoft has since added the related recordsdata to its revocation record.
The opposite safety flaw that has reportedly come below energetic assault is CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – permits attackers to sidestep Microsoft Defender Smartscreen protections when opening a specifically crafted file.
“To use this safety characteristic bypass vulnerability, an attacker would want to persuade a consumer to launch malicious recordsdata utilizing a launcher utility that requests that no UI be proven,” Microsoft mentioned.
“In an e-mail or immediate message assault situation, the attacker might ship the focused consumer a specifically crafted file that’s designed to use the distant code execution vulnerability.”
The Zero Day Initiative revealed that there’s proof of the flaw being exploited within the wild, though Microsoft has tagged it with an “Exploitation Extra Possible” evaluation.
One other vulnerability of significance is CVE-2024-29990 (CVSS rating: 9.0), an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container that may very well be exploited by unauthenticated attackers to steal credentials.
“An attacker can entry the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential visitors and containers past the community stack it is likely to be sure to,” Redmond mentioned.
In all, the discharge is notable for addressing as many as 68 distant code execution, 31 privilege escalation, 26 safety characteristic bypass, and 6 denial-of-service (DoS) bugs. Curiously, 24 of the 26 safety bypass flaws are associated to Safe Boot.
“Whereas none of those Safe Boot vulnerabilities addressed this month had been exploited within the wild, they function a reminder that flaws in Safe Boot persist, and we might see extra malicious exercise associated to Safe Boot sooner or later,” Satnam Narang, senior employees analysis engineer at Tenable, mentioned in a press release.
The disclosure comes as Microsoft has confronted criticism for its safety practices, with a current report from the U.S. Cyber Security Evaluate Board (CSRB) calling out the corporate for not doing sufficient to forestall a cyber espionage marketing campaign orchestrated by a Chinese language risk actor tracked as Storm-0558 final 12 months.
It additionally follows the corporate’s resolution to publish root trigger information for safety flaws utilizing the Widespread Weak point Enumeration (CWE) trade normal. Nevertheless, it is value noting that the modifications are solely in impact ranging from advisories revealed since March 2024.
“The addition of CWE assessments to Microsoft safety advisories helps pinpoint the generic root reason behind a vulnerability,” Adam Barnett, lead software program engineer at Rapid7, mentioned in a press release shared with The Hacker Information.
“The CWE program has not too long ago up to date its steerage on mapping CVEs to a CWE Root Trigger. Evaluation of CWE developments can assist builders scale back future occurrences by improved Software program Improvement Life Cycle (SDLC) workflows and testing, in addition to serving to defenders perceive the place to direct defense-in-depth and deployment-hardening efforts for greatest return on funding.”
In a associated improvement, cybersecurity agency Varonis detailed two strategies that attackers might undertake to avoid audit logs and keep away from triggering obtain occasions whereas exfiltrating recordsdata from SharePoint.
The primary strategy takes benefit of SharePoint’s “Open in App” characteristic to entry and obtain recordsdata, whereas the second makes use of the Person-Agent for Microsoft SkyDriveSync to obtain recordsdata and even whole websites whereas miscategorizing such occasions as file syncs as a substitute of downloads.
Microsoft, which was made conscious of the problems in November 2023, has but to launch a repair, though they’ve been added to their patch backlog program. Within the interim, organizations are really helpful to intently monitor their audit logs for suspicious entry occasions, particularly people who contain giant volumes of file downloads inside a brief interval.
“These strategies can bypass the detection and enforcement insurance policies of conventional instruments, akin to cloud entry safety brokers, information loss prevention, and SIEMs, by hiding downloads as much less suspicious entry and sync occasions,” Eric Saraga mentioned.
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
