April 9, 2024

If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.

“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”

Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.

Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.

Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.

Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.

“This along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,” McCarthy said. “Microsoft has updated their backend and notified any customers who have been affected by the credential leakage.”

CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one of ZDI’s researchers found this vulnerability being exploited in the wild, although Microsoft doesn’t currently list CVE-2024-29988 as being exploited.

“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”

Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.

Satnam Narang at Tenable notes that this month’s release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely” according to Microsoft.

“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”

For links to individual security advisories indexed by severity, check out ZDI’s blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.

Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.

KrebsOnSecurity needs to correct the record on a point mentioned at the end of March’s “Fat Patch Tuesday” post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps won’t use AI to auto-scan your documents, as the original language in its FAQ suggested.

“In practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,” Adobe said earlier this month.


13 thoughts on “April’s Patch Tuesday Brings Record Number of Fixes

  1. roger tubby

    Is it just me (a single developer trying to stay on top of these), but the Microsoft Vulnerabilities web page is missing a critical sorting/filtering element: which component of their software is affected?

    I think I’ve seen that before and definitely see it in the CISA pages. Why wouldn’t we be able to look for software that we have installed in order to fix those with the highest vulnerability/impact/in-use numbers?

    1. D Dean

      If you do the download (Excel) sheet you can sort and filter.

    2. Catwhisperer

      Ideally we would be able to type in a search box, a vendor or plugin name or a CVE score range. I resort to CTRL-F then “9.” now on a browser, but come on CISA, really? There must be a reason why basic search isn’t implemented that only .gov is privy to…

      One laptop updated flawlessly, an older Dell. The newer HP laptop ignored update Tuesday, behaving very similarly to how my Linux machine acts. We’ll have to debug that, LOL… Ah, I miss the excitement of update Tuesdays on Windows Datacenter on the organization’s Dell blade server running everything like financing, HR, etc…

  2. Dennis

    Oh seriously, Adobe AfterEffects has bugs?

  3. Isaac King

    Is it possible to find a complete description of these bugs anywhere, or does Microsoft not release those? I was curious about the details of CVE-2024-29063, but couldn’t find anything more than the minimal score metrics and FAQ on the msrc page.

    1. Cyber G

      It is probably a good thing that vendors not be entirely candid about their patching, or at least not at first. They can scan the internet looking for unpatched software, and with the vendor’s well intentioned help, use the vuln description in effect as a zero day.

  4. Abdullah Imran

    Hi,

    Hoping you all fine!

    I have visited your site krebsonsecurity.com and read the different articles over there. I am deeply impressed by your vision and methodology.
    I want to publish some sponsored posts on your site with your kind permission.
    If you also think equal to it, kindly let me know the price per post with a do-follow link. I shall be highly obliged to you for this favour.

    Waiting anxiously for a positive reply,
    Abdullah

  5. joe

    My computers have outbound traffic on IP 42.250.190.xxx to a site in China. is this Chinese hacking traffic?

  6. Errol F Duronslet

    Hi Brian. For the last few “Patch Tuesdays”, A Security update for Windows 10, Version 22H2 ( KB5034441) has failed to download and install. Error 0x80070643. I have Best Buy Geek Squad check the computer once a month, and once a senior technician told me Microsoft is aware of the problem and not to be too concerned about it. All the other Updates download with no problems. Should I be concerned about this update.
    Thanks

    1. BrianKrebs Post author

      I don’t know, but from what I’ve read on this error and KB listing, probably there is not enough space in your computer’s recovery partition to install the update (you might also check how much space is available to Windows).

      But it seems like fixing this error so that the patch can be installed requires messing with partition sizes, which is definitely not for the faint of heart and can result in a fubared system if you’re not careful.

      1. polbel

        I started in IT in 1979 and didn’t find this one easy so the average end-user might want to study partitioning a while and make a full verified image of his disk before having a go at this issue.
        I had a look at this when it popped out in january’s updates and i wonder what code M$ tries to hide in the boot partition, so large it needs an extra 500MB to store it there (bet on fixing UEFI security with more obfuscation). Using easeus partition master it is possible to reduce C: partition by 1 GB to create unused space between it and the boot partition on mbr drives so the boot can be enlarged by enough to fix the update error. It is a bit less simple on GPT drives but can be done also. Since then i have seen partitions in different ordering so your case can be different depending on your specific partitions. Companies making partitioning software have explanations that will help you figure your precise situation. I get ~ 50% success at first try…

Comments are closed.