Article Details

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs. Update 4/9/24: Added information on two zero-day vulnerabilities that Microsoft did not initially mark as exploited. Today is Microsoft's April 2024 Patch Tuesday, which includes security updates for 150 flaws and sixty-seven remote code execution bugs. Only three critical vulnerabilities were fixed as part of today's Patch Tuesday, but there are over sixty-seven remote code execution bugs. More than half of the RCE flaws are found within Microsoft SQL drivers, likely sharing a common flaw. There were also fixes for twenty-six Secure Boot bypasses released this month, including two from Lenovo. The number of bugs in each vulnerability category is listed below: The total count of 150 flaws does not include 5 Microsoft Edge flaws fixed on April 4th and 2 Mariner flaws. Mariner is an open-source Linux distribution developed by Microsoft for its Microsoft Azure services. To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 10 KB5036892 cumulative update and the Windows 10 KB5036892 update. Two zero-days fixed This month's Patch Tuesday fixed two zero-day vulnerabilities actively exploited in malware attacks. Microsoft initially failed to mark the zero days as actively exploited, but Sophos and Trend Micro shared information on how they were actively exploited in attacks. Below is a summary of the zero days, with more details provided in a dedicated article. CVE-2024-26234 - Proxy Driver Spoofing Vulnerability Sophos shared that this CVE is assigned to a malicious driver signed with a valid Microsoft Hardware Publisher Certificate. The driver was used to deploy a backdoor previously disclosed by Stairwell. Team lead Christopher Budd told BleepingComputer that previous drivers reported to Microsoft that they did not receive a CVE, but rather an advisory was issued. It is unclear why a CVE was released today for this driver, unless it was because a valid Microsoft Hardware Publisher Certificate signed it. CVE-2024-29988 - SmartScreen Prompt Security Feature Bypass Vulnerability CVE-2024-29988 is a patch bypass for the CVE-2024-21412 flaw (also a patch bypass for CVE-2023-36025), which allows attachments to bypass Microsoft Defender Smartscreen prompts when the file is opened. This was used by the financially motivated Water Hydra hacking group to target forex trading forums and stock trading Telegram channels in spearphishing attacks that deployed the DarkMe remote access trojan (RAT). Researchers from Varonis also disclosed two Microsoft SharePoint zero-days that make it harder to detect when files are downloaded from servers. "Technique #1: Open in App Method The first technique uses the code enabling the “open in app” feature in SharePoint to access and download files while only leaving an access event in the file’s audit log. This method can be executed manually or automated through a PowerShell script, allowing for the rapid exfiltration of many files.   Technique #2: SkyDriveSync User-Agent The second technique uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while mislabeling events as file syncs instead of downloads." Microsoft has not assigned CVEs to the two flaws and they have been added to the patching backlog, with no timeline as to when they will be fixed. Recent updates from other companies Other vendors who released security updates or vulnerability advisories in April 2024 include: The April 2024 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities in the April 2024 Patch Tuesday updates. To access the full description of each vulnerability and the systems it affects, you can view the full report here.