Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Patch Tuesday Tsunami: No Zero-Days, but an Asterisk

Microsoft patched a record number of 147 new CVEs this month, though only three are rated “Critical.”

DARKReading
#sql#vulnerability#web#windows#apple#microsoft#rce#auth#zero_day

Source: redbrickstock.com via Alamy Stock Photo

Microsoft outdid itself with this month’s Patch Tuesday releases, which contain no zero-day patches, though at least one of the patches addresses a flaw already being actively exploited.

Products affected by the most recent Patch Tuesday updates include Windows and Windows Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot.

Microsoft’s April update included 147 CVEs, three rated “Critical,” 142 categorized as “Important,” and two listed as “Moderate” in severity. That number swells to 155 CVEs if third-party flaws are included. The number represents a record high for Patch Tuesday fixes.

“Microsoft patched 147 CVEs in April, the largest number of CVEs patched in a month since we began tracking this data in 2017,” Satnam Narang, senior staff researcher engineer at Tenable, said in a statement. “The last time there were over 100 CVEs patched was October 2023, when Microsoft addressed 103 CVEs.” The previous high was in July 2023, with 130 CVEs patched, Narang added.

Microsoft did not indicate any of the April Patch Tuesday CVEs are zero-day threats, a welcome departure from last year’s brisk clip of zero-day disclosures.

“This time last year, there were seven zero-day vulnerabilities exploited in the wild,” Narang said. This year, there have only been two zero-days exploited and both were in February. “It’s difficult to pinpoint why we’ve seen this decrease, whether it’s just a lack of visibility or if it signifies a trend with attackers utilizing known vulnerabilities as part of their attacks on organizations.”

However, Dustin Childs of the Zero Day Initiative noted in his April Microsoft Patch Tuesday analysis that his organization has evidence of a known exploited flaw in the list of this month’s fixes.

Patch Tuesday Fixes to Prioritize

Childs pointed to the max-severity vulnerability in SmartScreen Prompt Security Feature Bypass (CVE-2024-29988) with a CVSS score of 8.8, which was discovered by ZDI but wasn’t listed as exploited in Microsoft’s Patch Tuesday update.

“However, the bug reported by ZDI threat hunter Peter Girrus was found in the wild,” Childs added. “We have evidence this is being exploited in the wild, and I’m listing it as such.”

Another max-severity bug impacting the Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2024-20678) was given a CVSS score of 8.8 and patched this month by Microsoft.

A spoofing vulnerability (CVE-2024-20670), listed as max-severity with a base CVSS of 8.1, was fixed in Outlook for Windows. And a Windows DNS Server Remote Code Execution, also listed as max-severity (CVE-2024-26221) with a CVSS score of 7.2, was patched as well.

Microsoft SQL Gets Plenty of Patches

Microsoft SQL Server vulnerabilities make up a large share of this month’s Patch Tuesday fixes, according to Kev Breen, senior director threat research for Immersive Labs.

“While at first glance, it may appear that Microsoft has called out a large number of vulnerabilities in its latest notes, 40 of them are all related to the same product — Microsoft SQL Server,” Breen said in a statement. “The main issue is with the Clients used to connect to an SQL server, not the server itself.”

Breen went on to explain that all of these would require social engineering, making the SQL flaws difficult to exploit in any useful capacity.

“All the reported vulnerabilities follow a similar pattern: For an attacker to gain code execution, they must convince an authenticated user inside an organization to connect to a remote SQL server the attacker controls,” Breen added. “While not impossible, this is unlikely to be exploited at scale by attackers.”

Security teams concerned about these types of attacks should look for anomalous activity and block outbound connections except to trusted servers.

Microsoft SmartScreen Prompt and Secure Boot Flaws

Tenable’s Narang noted this month’s fix for the SmartScreen Prompt security feature bypass (CVE-2024-29988), with its CVSS score of 8.8, likewise relies on social engineering to make exploitation possible. A similar zero-day bug (CVE-2024-21412), discovered by the same researchers was used in a DarkGate campaign impersonating popular brands like Apple iTunes.

“Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites,” Narang said. “However, as the name implies, these flaws bypass these security features, which leads to end users being infected with malware.”

Narang also suggested security teams take a look at the 24 Windows Secure Boot flaw fixes included in Microsoft’s April Patch Tuesday release.

“The last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on Dark Web forums for $5,000,” he said.

BlackLotus malware is able to block security protections while booting up.

“While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future,” Narang stressed.

Related news

Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday

Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza. Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1). The high-severity

April’s Patch Tuesday Brings Record Number of Fixes

If only Patch Tuesdays came around infrequently -- like total solar eclipse rare -- instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month's patch batch -- a record 147 flaws in Windows and related software.

April’s Patch Tuesday Brings Record Number of Fixes

If only Patch Tuesdays came around infrequently -- like total solar eclipse rare -- instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month's patch batch -- a record 147 flaws in Windows and related software.

April’s Patch Tuesday Brings Record Number of Fixes

If only Patch Tuesdays came around infrequently -- like total solar eclipse rare -- instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month's patch batch -- a record 147 flaws in Windows and related software.

February 2024: Vulremi, Vuldetta, PT VM Course relaunch, PT TrendVulns digests, Ivanti, Fortinet, MSPT, Linux PW

Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]

Update now! Microsoft fixes two zero-days on February Patch Tuesday

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday.

Fat Patch Tuesday, February 2024 Edition

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

NSA: BlackLotus BootKit Patching Won't Prevent Compromise

It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.

NSA Releases Guide to Combat Powerful BlackLotus Bootkit Targeting Windows Systems

The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced

Apple's iOS 16.5 Fixes 3 Security Bugs Already Used in Attacks

Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.

Threat Source newsletter (May 11, 2023) — So much for that ransomware decline

A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.

Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug

Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and

Update now! May 2023 Patch Tuesday tackles three zero-days

Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: CVE-2023-29336 Tags: CVE-2023-24932 Tags: bootkit Tags: CVE-2023-29325 Tags: Outlook Tags: preview Tags: CVE-2023-24941 Tags: Apple Tags: Cisco Tags: Google Tags: Android Tags: VMWare Tags: SAP Tags: Mozilla Microsoft's Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability (Read more...) The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.

Microsoft Patch Tuesday, May 2023 Edition

Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.

CVE-2023-24932

Secure Boot Security Feature Bypass Vulnerability

CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.

Guidance related to Secure Boot Manager changes associated with CVE-2023-24932

Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel