If only Patch Tuesdays came around infrequently β like total solar eclipse rare β instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this monthβs patch batch β a record 147 flaws in Windows and related software.
Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.
βThis is the largest release from Microsoft this year and the largest since at least 2017,β said Dustin Childs, from Trend Microβs Zero Day Initiative (ZDI). βAs far as I can tell, itβs the largest Patch Tuesday release from Microsoft of all time.β
Tempering the sheer volume of this monthβs patches is the middling severity of many of the bugs. Only three of Aprilβs vulnerabilities earned Microsoftβs most-dire βcriticalβ rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.
Most of the flaws that Microsoft deems βmore likely to be exploitedβ this month are marked as βimportant,β which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.
Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the userβs password hash and authenticate as the user in another Microsoft service.
Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azureβs search backend infrastructure that could be gleaned by taking advantage of Azure AI search.
βThis along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,β McCarthy said. βMicrosoft has updated their backend and notified any customers who have been affected by the credential leakage.β
CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDIβs researchers found this vulnerability being exploited in the wild, although Microsoft doesnβt currently list CVE-2024-29988 as being exploited.
βI would treat this as in the wild until Microsoft clarifies,β Childs said. βThe bug itself acts much like CVE-2024-21412 β a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.β
Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a βproxy driver spoofingβ weakness.
Satnam Narang at Tenable notes that this monthβs release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered βExploitation Less Likelyβ according to Microsoft.
βHowever, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,β Narang said. βBlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.β
For links to individual security advisories indexed by severity, check out ZDIβs blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.
Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.
KrebsOnSecurity needs to correct the record on a point mentioned at the end of Marchβs βFat Patch Tuesdayβ post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps wonβt use AI to auto-scan your documents, as the original language in its FAQ suggested.
βIn practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,β Adobe said earlier this month.
Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Appleβs new macOS Sonoma addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.
Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in iOS 17.4, iPadOS 17.4, and iOS 16.7.6.
Appleβs macOS Sonoma 14.4 Security Update addresses dozens of security issues. Jason Kitka, chief information security officer at Automox, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages [full disclosure: Automox is an advertiser on this site].
On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the companyβs perspective on memory safety risks.
Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). Satnam Narang, senior staff research engineer at Tenable, notes that of the 60 CVEs in this monthβs Patch Tuesday release, only six are considered βmore likely to be exploitedβ according to Microsoft.
Those more likely to be exploited bugs are mostly βelevation of privilege vulnerabilitiesβ including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).
Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this monthβs Patch Tuesday release, which is an elevation of privilege flaw in Microsoft Authenticator, the software giantβs app for multi-factor authentication. Narang said aΒ prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.
βIf a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,β Narang said. βHaving access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.β
CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in Open Management Infrastructure (OMI), a Linux-based cloud infrastructure in Microsoft Azure. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.
CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said Ben McCarthy, lead cybersecurity engineerΒ at Immersive Labs.
βWith this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,β Breen explained. βThe attack complexity has been described as low meaning there is less of a barrier to entry for attackers.β
A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.
Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate. Adobe said it is not aware of active exploitation against any of the flaws.
By the way, Adobe recently enrolled all of its Acrobat users into a βnew generative AI featureβ that scans the contents of your PDFs so that its new βAI Assistantβ canΒ βunderstand your questions and provide responses based on the content of your PDF file.β Adobe provides instructions on how to disable the AI features and opt out here.
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a βsecurity feature bypassβ in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmondβs advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed βWater Hydra,β which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi) that in turn unloads a remote access trojan (RAT) onto infected Windows systems.
The other zero-day flaw is CVE-2024-21351, another security feature bypass β this one in the built-in Windows SmartScreen component that tries to screen out potentially malicious files downloaded from the Web. Kevin Breen at Immersive Labs says itβs important to note that this vulnerability alone is not enough for an attacker to compromise a userβs workstation, and instead would likely be used in conjunction with something like a spear phishing attack that delivers a malicious file.
Satnam Narang, senior staff research engineer at Tenable, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.
Narang called special attention to CVE-2024-21410, an βelevation of privilegeβ bug in Microsoft Exchange Server that Microsoft says is likely to be exploited by attackers. Attacks on this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or βpass the hashβ attack, which lets an attacker masquerade as a legitimate user without ever having to log in.
βWe know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers,β Narang said. βA Russian-based threat actor leveraged a similar vulnerability to carry out attacks β CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.β
Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14 (CU14), a security feature called Extended Protection for Authentication (EPA), which provides NTLM credential relay protections, was not enabled by default.
βGoing forward, CU14 enables this by default on Exchange servers, which is why it is important to upgrade,β Narang said.
Rapid7βs lead software engineer Adam Barnett highlighted CVE-2024-21413, a critical remote code execution bug in Microsoft Office that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.
βMicrosoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources,β Barnett said. βCVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file.β
Barnett stressed that administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update knowledge base (KB) articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.
Itβs a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesnβt mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. Itβs also smart to back up your data and/or image your Windows drive before applying new updates.
For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Centerβs list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.
The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known βzero-dayβ threats targeting any of the vulnerabilities in Decemberβs patch batch. Still, four of the updates pushed out today address βcriticalβ vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
Among the critical bugs quashed this month is CVE-2023-35628, a weakness present in Windows 10 and later versions, as well as Microsoft Server 2008 and later. Kevin Breen, senior director of threat research at Immersive Labs, said the flaw affects MSHTML, a core component of Windows that is used to render browser-based content. Breen notes that MSHTML also can be found in a number of Microsoft applications, including Office, Outlook, Skype and Teams.
βIn the worst-case scenario, Microsoft suggests that simply receiving an email would be enough to trigger the vulnerability and give an attacker code execution on the target machine without any user interaction like opening or interacting with the contents,β Breen said.
Another critical flaw that probably deserves priority patching is CVE-2023-35641, a remote code execution weakness in a built-in Windows feature called the Internet Connection Sharing (ICS) service that lets multiple devices share an Internet connection. While CVE-2023-35641 earned a high vulnerability severity score (a CVSS rating of 8.8), the threat from this flaw may be limited somewhat because an attacker would need to be on the same network as the target. Also, while ICS is present in all versions of Windows since Windows 7, it is not on by default (although some applications may turn it on).
Satnam Narang, senior staff research engineer at Tenable, notes that a number of the non-critical patches released today were identified by Microsoft as βmore likely to be exploited.β For example, CVE-2023-35636, which Microsoft says is an information disclosure vulnerability in Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file delivered via email or hosted on a malicious website.
Narang said what makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or βpass the hashβ attack, which lets an attacker masquerade as a legitimate user without ever having to log in.
βIt is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release,β Narang said. βHowever, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoftβs Preview Pane, which lowers the severity of this flaw.β
As usual, the SANS Internet Storm Center has a good roundup on all of the patches released today and indexed by severity. Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.