Microsoft’s Patch Tuesday instalment for April addresses a total of 150 vulnerabilities, considerably more than last month’s release. Despite being a huge batch of updates, there are only 3 critical vulnerabilities patched this month, as well as 1 publicly disclosed, and 2 actively exploited flaws.
Six remote code execution vulnerabilities have been patched this month relating to Microsoft Defender for IoT. Of the six, three of these vulnerabilities are of critical severity with varying attack vectors.
Two of the critical vulnerabilities (CVE-2024-29053 & CVE-2024-21323) can be exploited via path traversal, while the third (CVE-2024-21322) requires the attacker to be an existing administrator of the web application. More details on the exploitability of these flaws can be found in Microsoft’s update guides linked above.
Microsoft also advises regular validation and audits of administrative groups to mitigate malicious or unauthorised usage of privileged accounts.
This important security feature bypass vulnerability exists in Microsoft Defender SmartScreen. To successfully exploit this flaw, the victim needs to be tricked into running a specially crafted malicious file. Likely attack scenarios include instant messages or email attachments. In this case, the attacker has no way to force the user to open the file and must rely on social engineering tactics to entice the user to click a link or open the attachment.
This important elevation of privilege vulnerability impacts Microsoft Azure Kubernetes Service Confidential Container and could be exploited by unauthenticated attackers to steal credentials and affect resources beyond the security scope managed by AKS Confidential Containers.
To exploit this vulnerability the attacker must access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to.
It is also worth noting that the attacker does not need to be authenticated in order to successfully exploit this flaw, as the attacker can move the same workload onto a machine they have root privileges. Microsoft’s update guide also includes actions that can be taken to protect against this vulnerability; AKSCC admins are advised to follow this guidance to mitigate the risk of an attack.
This important proxy driver spoofing vulnerability was discovered by Sophos X-Ops back in December 2023, and was recently reported to Microsoft. Sophos discovered a malicious executable, Catalog.exe, that was signed with a valid Microsoft Hardware Publisher Certificate. Further analysis of the file identified the original requesting publisher as Hainan YouHu Technology Co. Ltd, who are known as the publisher of the LaiXi screen mirroring software.
Sophos researcher Andreas Klopsch stated: "We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,"
Following the report by Sophos, Microsoft added the associated files to their revocation list, and pushed the update as part of their April Patch Tuesday rollout. Microsoft have confirmed that the flaw is being actively exploited in the wild, and was publicly disclosed; as always, updates should be applied as soon as possible to protect against exploitation of this vulnerability.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Apr
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
