Η Microsoft released security updates for the month of April 2024 to fix a record 149 defects , two of which have been actively exploited in the wild.
Of the 149 defects, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low Severity. The update is out of the question 21 vulnerabilities faced by the company in its Chromium-based Edge browser after the release of of March Tuesday 2024 patch fixes .
The two deficiencies that have been actively exploited are the following –
- CVE-2024-26234 (CVSS score: 6,7) – Proxy driver spoofing vulnerability
- CVE-2024-29988 (CVSS score: 8,8) – SmartScreen Prompt security features bypass vulnerability
While Microsoft's advisory does not provide information about the CVE-2024-26234, the cyber companybetter safetySophos said it discovered in December 2023 a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) that is signed from a valid Microsoft Windows hardware compatibility publisher ( WHCP ) certificate.
The Authenticode analysis of the binary revealed the original requesting publisher to Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.
The latter is described as “a marketing software … [that] can connect hundreds of mobile phones and control them in batches and automate tasks such as group following, liking and commenting”.
Within the supposed authentication service is a component called 3proxy which is designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.
"We have no evidence to suggest that the LaiXi developers intentionally integrated the malicious file into their product, or that a threat actor conducted a supply chain attack to inject it into the LaiXi application build/build process," said Sophos researcher Andreas Klopsch. .
The cybersecurity company also said it discovered several other variants of the backdoor in the wild by January 5, 2023, indicating that the campaign has been running since at least then. Microsoft has since added the relevant files to its recall list.
"To exploit this security feature bypass vulnerability, an attacker would have to convince a user to launch malicious files using a launcher that requests that no user interface be displayed," Microsoft said.
"In an email or instant messaging attack scenario, an attacker could send the targeted user a specially crafted file designed to exploit the remote code execution vulnerability."
The Zero Day Initiative he revealed that there is evidence of exploitation of the flaw in the wild, although Microsoft has flagged it with a “Most Likely Exploitation” rating.
Another important issue is vulnerability CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege flaw affecting the Microsoft Azure Kubernetes Service Container Confidential that could be exploited by unauthenticated attackers to steal credentials.
"An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack they may be bound to," said Redmond.
Overall, the release is notable for addressing up to 68 remote code execution, 31 privilege escalation, 26 security feature bypasses, and six denial-of-service (DoS) bugs. Interestingly, 24 of the 26 security bypass errors are related to Secure Boot.
“While none of these vulnerabilities Secure Boot addressed this month were not exploited in the wild, they serve as a reminder that flaws in Secure Boot still exist and we could see more Secure Boot-related malicious activity in the future,” said Satnam Narang, senior staff research engineer at Tenable said in a statement.
The revelation comes as Microsoft has face criticism on its security practices, with a recent report from the Board of Review Cyber-security(CSRB) calling out the company for not doing enough to prevent a cyber espionage campaign orchestrated by a Chinese threat actor tracked as Storm. -0558 last year.
It also follows the company's decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard. However, it's worth noting that the changes only apply starting with advisories published from March 2024.
"Adding CWE assessments to Microsoft's security advisory helps identify the overall root cause of a vulnerability," said Adam Barnett, lead software engineer at Rapid7, in a statement shared with The Hacker News.
“The CWE program recently updated its guidance on mapping CVEs to a CWE root cause . Analyzing CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth efforts and hardening development for better return on investment".
In a related development, cybersecurity firm Varonis exposed two methods attackers could adopt to bypass audit logs and avoid triggering download events when exporting files from SharePoint.
The first approach takes advantage of SharePoint's "Open in App" feature to access and download files, while the second uses the user agent for Microsoft SkyDriveSync to download files or even entire sites, misclassifying such events as file syncs instead of downloads .
"These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention and SIEMs, by disguising downloads as less suspicious access and synchronization events," he said Eric Saraga.
Third-party software fixes
In addition to Microsoft, security updates have also been released by other vendors in recent weeks to fix several vulnerabilities, including:
- Adobe
- AMD
- Android
- Apache XML Security for C++
- Aruba Networks
- Atos
- Bosch
- Cisco
- D-Link
- Dell
- Drupal
- F5
- Fortinet
- Fortra
- GitLab
- Google Chrome
- Google Cloud
- Google Pixel
- Hikvision
- Hitachi Energy
- HP
- HP Enterprise
- HTTP / 2
- IBM
- Ivant
- Jenkins
- Lenovo
- LG webOS
- Linux distributions Debian, Oracle Linux, Red Hat, SUSEand Ubuntu
- MediaTek
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- NVIDIA
- Qualcomm
- Rockwell Automation
- Rust
- Samsung
- SAP
- Schneider Electric
- Siemens
- Splunk
- Synology
- VMware
- WordPress
- Zoom
