Microsoft has launched security updates for the month of April 2024 to remediate a file 149 flaws, two of which have come underneath energetic exploitation within the wild.
Of the 149 flaws, three are rated Important, 142 are rated Necessary, three are rated Reasonable, and one is rated Low in severity. The replace is other than 21 vulnerabilities that the corporate addressed in its Chromium-based Edge browser following the discharge of the March 2024 Patch Tuesday fixes.
The 2 shortcomings which have come underneath energetic exploitation are beneath –
- CVE-2024-26234 (CVSS rating: 6.7) – Proxy Driver Spoofing Vulnerability
- CVE-2024-29988 (CVSS rating: 8.8) – SmartScreen Immediate Safety Characteristic Bypass Vulnerability
Whereas Microsoft’s personal advisory offers no details about CVE-2024-26234, cybersecurity agency Sophos mentioned it found in December 2023 a malicious executable (“Catalog.exe” or “Catalog Authentication Consumer Service”) that is signed by a legitimate Microsoft Home windows {Hardware} Compatibility Writer (WHCP) certificates.
Authenticode evaluation of the binary has revealed the unique requesting writer to Hainan YouHu Expertise Co. Ltd, which can also be the writer of one other instrument referred to as LaiXi Android Display screen Mirroring.
The latter is described as “a advertising and marketing software program … [that] can join tons of of cellphones and management them in batches, and automate duties like batch following, liking, and commenting.”
Current inside the purported authentication service is a element referred to as 3proxy that is designed to watch and intercept community visitors on an contaminated system, successfully appearing as a backdoor.
“We’ve no proof to recommend that the LaiXi builders intentionally embedded the malicious file into their product, or {that a} risk actor performed a provide chain assault to insert it into the compilation/constructing means of the LaiXi software,” Sophos researcher Andreas Klopsch mentioned.
The cybersecurity firm additionally mentioned it found a number of different variants of the backdoor within the wild going all the best way again to January 5, 2023, indicating that the marketing campaign has been underway at the very least since then. Microsoft has since added the related recordsdata to its revocation checklist.
The opposite security flaw that has reportedly come underneath energetic assault is CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – permits attackers to sidestep Microsoft Defender Smartscreen protections when opening a specifically crafted file.
“To take advantage of this security function bypass vulnerability, an attacker would want to persuade a person to launch malicious recordsdata utilizing a launcher software that requests that no UI be proven,” Microsoft mentioned.
“In an e mail or on the spot message assault state of affairs, the attacker may ship the focused person a specifically crafted file that’s designed to take advantage of the distant code execution vulnerability.”
The Zero Day Initiative revealed that there’s proof of the flaw being exploited within the wild, though Microsoft has tagged it with an “Exploitation Extra Probably” evaluation.
One other vulnerability of significance is CVE-2024-29990 (CVSS rating: 9.0), an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container that might be exploited by unauthenticated attackers to steal credentials.
“An attacker can entry the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential company and containers past the community stack it may be certain to,” Redmond mentioned.
In all, the discharge is notable for addressing as many as 68 distant code execution, 31 privilege escalation, 26 security function bypass, and 6 denial-of-service (DoS) bugs. Apparently, 24 of the 26 security bypass flaws are associated to Safe Boot.
“Whereas none of those Safe Boot vulnerabilities addressed this month had been exploited within the wild, they function a reminder that flaws in Safe Boot persist, and we may see extra malicious exercise associated to Safe Boot sooner or later,” Satnam Narang, senior workers analysis engineer at Tenable, mentioned in a press release.
The disclosure comes as Microsoft has confronted criticism for its security practices, with a latest report from the U.S. Cyber Security Evaluation Board (CSRB) calling out the corporate for not doing sufficient to stop a cyber espionage marketing campaign orchestrated by a Chinese language risk actor tracked as Storm-0558 final 12 months.
It additionally follows the corporate’s choice to publish root trigger knowledge for security flaws utilizing the Widespread Weak point Enumeration (CWE) trade commonplace. Nevertheless, it is value noting that the modifications are solely in impact ranging from advisories printed since March 2024.
“The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root reason for a vulnerability,” Adam Barnett, lead software program engineer at Rapid7, mentioned in a press release shared with The Hacker Information.
“The CWE program has lately up to date its steering on mapping CVEs to a CWE Root Trigger. Evaluation of CWE developments may help builders scale back future occurrences via improved Software program Improvement Life Cycle (SDLC) workflows and testing, in addition to serving to defenders perceive the place to direct defense-in-depth and deployment-hardening efforts for greatest return on funding.”
In a associated improvement, cybersecurity agency Varonis detailed two strategies that attackers may undertake to avoid audit logs and keep away from triggering obtain occasions whereas exfiltrating recordsdata from SharePoint.
The primary strategy takes benefit of SharePoint’s “Open in App” function to entry and obtain recordsdata, whereas the second makes use of the Person-Agent for Microsoft SkyDriveSync to obtain recordsdata and even total websites whereas miscategorizing such occasions as file syncs as an alternative of downloads.
Microsoft, which was made conscious of the problems in November 2023, has but to launch a repair, though they’ve been added to their patch backlog program. Within the interim, organizations are beneficial to intently monitor their audit logs for suspicious entry occasions, particularly those who contain massive volumes of file downloads inside a brief interval.
“These methods can bypass the detection and enforcement insurance policies of conventional instruments, equivalent to cloud entry security brokers, knowledge loss prevention, and SIEMs, by hiding downloads as much less suspicious entry and sync occasions,” Eric Saraga mentioned.
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —