Microsoft fixes 149 flaws, including zero-days, in massive patch released in April

Microsoft

Microsoft released the April 2024 security update, which fixed a record 149 vulnerabilities, two of which have been widely exploited.

Of the 149 defects, 3 defects were rated as Critical, 142 defects were rated as Important, 3 defects were rated as Moderate, and 1 defect was rated as Low in severity. The update does not include 21 vulnerabilities that the company addressed in its Chromium-based Edge browser after releasing March 2024 Patch Tuesday fixes.

Two disadvantages that are being actively exploited are as follows:

  • CVE-2024-26234 (CVSS Rating: 6.7) – Agent Driver Spoofing Vulnerability
  • CVE-2024-29988 (CVSS Rating: 8.8) – SmartScreen Prompts Security Feature Bypass Vulnerability

While Microsoft’s own advisory did not provide information about CVE-2024-26234, cybersecurity firm Sophos said it discovered a malicious executable signed by a valid Microsoft Windows Hardware Compatibility Releaser in December 2023 ( “Catalog.exe” or “Catalog Authentication Client Service”) (WHCP) credentials.

Authenticode analysis of the binary file shows that the original request was issued by Hainan Youhu Technology Co., Ltd., which is also the publisher of another tool called LaiXi Android Screen Mirroring.

The latter is described as “a marketing software… [that] It can connect to hundreds of mobile phones and control them in batches to automate batch following, likes, comments and other tasks. “

The so-called authentication service contains a component called 3proxy, which is designed to monitor and intercept network traffic on infected systems, effectively acting as a backdoor.

Sophos researcher Andreas Klopsch said: “We have no evidence that LaiXi developers intentionally embedded malicious files into their products, or that threat actors conducted a supply chain attack to insert them into the compilation/build process of LaiXi applications. “.

The cybersecurity firm also said it discovered multiple other backdoor variants in the wild dating back to January 5, 2023, suggesting the campaign has been ongoing at least since then. Microsoft has since added the relevant documents to its revocation list.

Internet security

Another security vulnerability reportedly under active attack is CVE-2024-29988, which, like CVE-2024-21412 and CVE-2023-36025, allows attackers to bypass Microsoft Defender Smartscreen protection when opening a specially crafted file.

“To exploit this security feature to bypass the vulnerability, an attacker would need to convince the user to launch a malicious file using a launcher application that requests no UI to be displayed,” Microsoft said.

“In an email or instant messaging attack scenario, an attacker could send a specially crafted file designed to exploit a remote code execution vulnerability to the target user.”

The zero-day project revealed that there is evidence that the flaw is being exploited, although Microsoft has marked it as “more likely to be exploited” assessment.

Another important vulnerability is CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege vulnerability affecting the Microsoft Azure Kubernetes Service secret container that could potentially be exploited by an unauthenticated attacker to steal credentials.

“An attacker could gain access to untrusted AKS Kubernetes nodes and AKS confidential containers to take over confidential guests and containers outside of the network stack to which they may be bound,” Redmond said.

All told, this release is notable for resolving up to 68 remote code executions, 31 privilege escalations, 26 security feature bypasses, and 6 Denial of Service (DoS) bugs. Interestingly, 24 of the 26 security bypass flaws were related to Secure Boot.

“While none of the Secure Boot vulnerabilities addressed this month have been exploited in the wild, they serve as a reminder that flaws in Secure Boot still exist and we may see more Secure Boot-related malware in the future,” said senior staff member Satnam Narang. activity,” Tenable’s research engineers said in a statement.

The disclosure comes as Microsoft faces criticism for its security practices, with a recent report from the U.S. Cyber ​​Security Review Board (CSRB) saying the company did not do enough to stop a Chinese threat group tracked as Storm Planned cyber espionage activities. Last year -0558.

It also follows the company’s decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard. However, it is worth noting that these changes will only take effect from recommendations issued since March 2024.

“Adding CWE assessments to Microsoft security bulletins helps pinpoint the general root cause of vulnerabilities,” Adam Barnett, principal software engineer at Rapid7, said in a statement shared with The Hacker News.

“The CWE Project recently updated guidance on mapping CVEs to CWE root causes. Analysis of CWE trends can help developers reduce future occurrences by improving software development life cycle (SDLC) workflows and testing, and help Defenders understand where to direct defense in depth and deploy hardening efforts to get the best return on investment.”

In a related development, cybersecurity firm Varonis detailed two methods attackers can use to circumvent audit logs and avoid triggering download events when stealing files from SharePoint.

The first method takes advantage of SharePoint’s “Open in Application” feature to access and download files, while the second method uses Microsoft SkyDriveSync’s user agent to download files or even entire websites, while misclassifying such events. Sync for files instead of downloading.

Internet security

Microsoft became aware of these issues in November 2023, and although it has been added to the patch backlog, a fix has not yet been released. During this time, organizations are advised to closely monitor their audit logs for suspicious access events, particularly those involving the download of large numbers of files in a short period of time.

“These techniques can bypass detection and enforcement policies of traditional tools, such as cloud access security agents, data loss prevention and SIEM, by hiding downloads as less suspicious access and sync events,” said Eric Saraga.

Software patches from other vendors

In addition to Microsoft, other vendors have released security updates over the past few weeks to fix multiple vulnerabilities, including —

Did you find this article interesting?follow us Twitter and LinkedIn to read more exclusive content from us.



Source link



from Tech Empire Solutions https://techempiresolutions.com/microsoft-fixes-149-flaws-including-zero-days-in-massive-patch-released-in-april/
via https://techempiresolutions.com/

from Tech Empire Solutions https://techempiresolutions.blogspot.com/2024/04/microsoft-fixes-149-flaws-including.html
via https://techempiresolutions.com/

Comments

Popular posts from this blog

Perfecta grill uses AI to help cook steaks in 90 seconds

John Wick heads to Vegas to visit interactive attractions

Ford prepares for next war, Waymo recalls its self-driving car software, another self-driving startup lays off employees