Microsoft has released the security updates for the month of April 2024 (which by convention we will call the April Patch) to remedy a record of 149 security breaches, two of which have been the subject of attacks that are active on the internet.
All the fixes in the April patch from Microsoft
Through this April patch of 149 security flaws, three are classified as critics, 142 as Important, three as Moderate, and one as Low in severity; the April 2024 patch did a job of its own, compared to the 21 flaws the company addressed in its Chromium-based Edge browser after the release of the March 2024 Patch Tuesday fixes.
The two shortcomings, discovered through the April patch, subjects of active attacks are the following:
While Microsoft's advisory itself provides no information about CVE-2024-26234cybersecurity firm Sophos said it discovered a malicious executable in December 2023 (“Catalog.exe” or “Catalog Authentication Client Service”) signed by a valid Microsoft Windows Hardware Compatibility Publisher certificate (WHCP).
L'Authenticode analysis of the binary revealed that the original requesting publisher is Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.
This latest problem discovered through the April patch is described as “a marketing software… [che] can connect hundreds of mobile phones and control them with a batch fileautomate tasks like batch following, liking, and commenting“.
Again through the fixes of this April patch, within the alleged authentication service there is a component called 3proxy designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.
“We have no evidence to suggest that LaiXi developers deliberately embedded the malicious file into their productor that a cybercriminal conducted a supply chain attack to insert it into the LaiXi application build process“, has said Sophos researcher Andreas Klopsch.
The cybersecurity firm also said it had discovered multiple other real-world variants of the backdoor dating back to at least January 5, 2023, indicating that the campaign has been ongoing at least since then. Microsoft subsequently added the relevant files to its revocation list.
The other security flaw fixed by the April patch, which has reportedly been the subject of active attacks is CVE-2024-29988, which, as CVE-2024-21412 And CVE-2023-36025, allowed attackers to bypass Microsoft Defender Smartscreen protections when opening a file specially designed.
“To exploit this security feature bypass vulnerability, an attacker would have to convince a user to launch malicious files using a launcher application that requires no user interface to be shown“said Microsoft, who then added: “In an email or instant message attack scenario, the attacker could send the targeted user a specially designed file to exploit the remote code execution vulnerability“.
The Zero Day Initiative has revealed That there is evidence that the exploit of the flaw actually occurredalthough Microsoft has marked it with a rating of “Most Likely to Be Exploited.”
Another notable vulnerability, which came out with this April patch, is CVE-2024-29990 (CVSS score: 9.0), An elevation of privilege flaw affecting Microsoft Azure Kubernetes Service Confidential Container that could be exploited by unauthenticated attackers to steal credentials.
But this April patch also reserves other surprises, so much so that Redmond said: “An attacker can access the untrusted AKS Kubernetes node and the AKS Confidential Container to take on guests and confidential containers beyond the network stack to which it may be bound“
Overall, the release is noteworthy for the deal up to 68 remote code execution bugs, 31 privilege addition bugs, 26 security function bypass bugs, and six denial-of-service (DoS) bugs; Interestingly, regarding this April patch, 24 of the 26 security bypass bugs are related to Secure Boot.
“While none of these Secure Boot vulnerabilities addressed this month have been exploited in the real world, they serve as a reminder that flaws in Secure Boot persist, and we may see more malicious activity related to Secure Boot in the future“Satnam Narang, senior staff research engineer at Tenable, said in a statement.
The disclosure comes as Microsoft has been criticized for its security practiceswith a recent report from the US Cyber Safety Review Board (CSRB) calling out the company for not doing enough to prevent a cyber espionage campaign orchestrated by a Chinese cybercriminal tracked as Storm-0558 last year.
It also follows the company's decision to Publish data on the root cause of security vulnerabilities using the industry standard Common Weakness Enumeration (CWE); however, it is worth noting that the changes are only effective as of notices posted from March 2024.
“L'Adding CWE ratings to Microsoft Security Advisories helps pinpoint the generic root cause of a vulnerability“said Adam Barnett, lead software engineer at Rapid7, in a statement regarding the April patch, in which he then added: “The CWE program recently updated its guidelines on CVE mapping to a root cause CWE. CWE trend analysis can help developers reduce future occurrences through improved software development lifecycle workflows and testing, as well as by helping defenders understand where to direct defense-in-depth and distribution hardening efforts for the best return on investment“.
In a related development, cybersecurity firm Varonis has detailed two methods that attackers could be used to bypass audit logs and avoid triggering download events when exfiltrating files from SharePoint.
The first approach uses SharePoint's “Open in App” feature to access and download files, while the second uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while miscategorizing such events as file syncs instead of downloads.
Microsoft, regarding this April patch, as it was made aware of the issues in November 2023, has yet to release a fix, even though they have been added to their patch backlog schedule; Meanwhile, organizations are advised to carefully monitor their audit logs for suspicious access events, especially those involving large volumes of file downloads within a short time.
“These techniques can evade the detection and enforcement policies of traditional solutions, such as cloud access security brokers, data loss prevention, and SIEMs, hiding downloads as less suspicious logins and sync events“, has said Eric Saraga.
Not just Microsoft, others are also adapting to the April patch
In addition to Microsoft, Security updates from other vendors have also been released in recent weeks to fix several vulnerabilitiesamong which:
#April #Patch #Microsoft #fixes #security #flaws
