Microsoft has recently released its security updates for April 2024, addressing a total of 149 vulnerabilities. Out of these, three are classified as Critical, 142 as Important, three as Moderate, and one as Low severity. The update focuses on fixing bugs and vulnerabilities in various Microsoft products and services. It is worth mentioning that this update is separate from the previous fix for 21 vulnerabilities in the Chromium-based Edge browser.
Among the 149 flaws, two have been actively exploited in the wild. The first one is CVE-2024-26234, which is a Proxy Driver Spoofing Vulnerability with a CVSS score of 6.7. The details of this vulnerability are scarce in Microsoft’s advisory, but cybersecurity firm Sophos discovered a malicious executable file signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate. This executable, known as “Catalog.exe” or “Catalog Authentication Client Service,” contains a component called 3proxy, which acts as a backdoor by intercepting network traffic on an infected system. Sophos has found multiple variants of this backdoor, indicating an ongoing campaign since January 2023.
The second actively exploited vulnerability is CVE-2024-29988, a SmartScreen Prompt Security Feature Bypass Vulnerability with a CVSS score of 8.8. This vulnerability, along with CVE-2024-21412 and CVE-2023-36025, allows attackers to bypass Microsoft Defender SmartScreen protections when opening a specially crafted file. To exploit this vulnerability, the attacker needs to convince the user to launch malicious files using a launcher application that requests no UI be shown. In an email or instant message attack scenario, the attacker could send a specially crafted file to exploit this vulnerability.
Another noteworthy vulnerability in the April 2024 security update is CVE-2024-29990, an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container. With a CVSS score of 9.0, this vulnerability could be exploited by unauthenticated attackers to steal credentials. The attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack.
The security update also addresses various other vulnerabilities, including remote code execution, privilege escalation, security feature bypass, and denial-of-service bugs. Particularly significant is the presence of 26 security bypass flaws related to Secure Boot, highlighting the persistence of flaws in this area. Although none of these Secure Boot vulnerabilities have been exploited in the wild, they serve as a reminder of the potential risks associated with Secure Boot.
The release of the April 2024 security update follows recent criticism of Microsoft’s security practices. A report from the U.S. Cyber Safety Review Board (CSRB) highlighted the company’s failure to prevent a cyber espionage campaign conducted by a Chinese threat actor known as Storm-0558. Additionally, Microsoft has taken steps to improve transparency by publishing root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard. This change aims to help developers and defenders better understand and address vulnerabilities.
In related news, cybersecurity firm Varonis has detailed two methods that attackers could use to bypass audit logs and avoid triggering download events while exfiltrating files from SharePoint. The first method involves using SharePoint’s “Open in App” feature, while the second method relies on manipulating the User-Agent for Microsoft SkyDriveSync. These techniques allow attackers to hide their download activities and evade detection.
It is important for organizations to closely monitor their audit logs for any suspicious access events, especially those involving large volumes of file downloads within a short period. Traditional security tools may not detect these techniques, so it is crucial to implement additional measures to protect against such attacks.
In conclusion, Microsoft’s April 2024 security update addresses a significant number of vulnerabilities across its products and services, with two vulnerabilities actively exploited in the wild. The inclusion of CWE assessments in security advisories enhances vulnerability analysis and helps developers and defenders address root causes. However, ongoing challenges with Secure Boot vulnerabilities and recent criticisms of Microsoft’s security practices highlight the importance of continuous improvement in the field of cybersecurity. Organizations must remain vigilant and take appropriate measures to protect their systems and data from emerging threats.
Source link
/cdn.vox-cdn.com/uploads/chorus_asset/file/25452034/2024_05_18_Installer_38.png?w=1024&resize=1024,1024&ssl=1)
