Microsoft Drops 147 Fixes for April Patch Tuesday

In what is the largest security patch of the year, Microsoft has released 147 CVEs (Common Vulnerabilities and Exposures) for April.

Despite the larger-than-usual number of bulletins, this batch contains no fixes for zero-day vulnerabilities for the second month in a row, according to Microsoft. However, that may not be entirely true.

CVE-2024-29988, a bulletin rated "important," rectifies a security bypass hole in Windows SmartScreen (which protects users from malware attacks). Microsoft said that there are no active exploits for this item, nor is it publicly disclosed. However, security expert Dustin Childs, of the Zero Day Initiative blog, disagrees.

"This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited," wrote Childs. "I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system."

The best bet is to treat this item as if it were in active exploit and get patched as soon as possible.

Despite there being over 100 bulletins for the first time since October 2023, only three of the items are rated critical, and they all address similar issues in Microsoft Defender for IoT.

CVE-2024-29053,  CVE-2024-21323 and CVE-2024-21322, which all deal with remote code execution vulnerabilities in Microsoft Defender for IoT. According to Microsoft, to successfully exploit CVE-2024-29053, it "would require an attacker to send a tar file to the Defender for IoT sensor."

What makes possible attacks difficult is that the malicious file would first need to be sent over the network, requiring the attacker to authenticate themselves beforehand. As for the second and third Defender for IoT fix, an attacker doesn't need any additional privileges – it would just need to send a malicious file to "sensitive locations" on the server for both.

Of note this month is that there are 24 bulletins addressing vulnerabilities in Windows Secure Boot. While they are all rated "important" and are considered items where active exploits are not expected by Microsoft, they are definitely worth paying attention to, according to Satnam Narang, senior staff research engineer at security cloud firm Tenable.

"However, the last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000," said Narang. "BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future."

The full list of this month's bulletins can be found here.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube