If only Patch Tuesdays came around infrequently – like a total solar eclipse rare – instead of just creeping up on us each month like The Man in the Moon. Although, to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch – a record 147 flaws in Windows and related software.
Yes, you read that right. Microsoft released updates today to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.
“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”
Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.
Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” usually involving bugs that require a bit more user interaction (social engineering), but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.
Ben McCarthy, lead cybersecurity engineer at Immersive Labs, called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.
Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.
“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”
Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.
Now let’s dive into the implications of these patches and vulnerabilities. With the constant advancement of technology, it’s no surprise that software vulnerabilities are discovered and fixed on a regular basis. However, the staggering number of flaws in this month’s release is a cause for concern. It highlights the complexity and ever-evolving nature of modern software systems.
As technology continues to advance, so do the tactics and techniques of cybercriminals. They are constantly looking for vulnerabilities to exploit and gain unauthorized access to systems and data. Patching these vulnerabilities is crucial to maintaining the security and integrity of systems and protecting sensitive information.
The discovery of spoofing vulnerabilities, such as CVE-2024-20670, demonstrates the need for users to exercise caution when interacting with email and other forms of communication. It serves as a reminder that even seemingly harmless actions, like clicking on a link, can have severe consequences if it leads to the compromise of user credentials.
Additionally, the presence of hard-coded credentials in Azure’s search backend infrastructure highlights the importance of implementing robust security measures. The potential leakage of such credentials can provide attackers with unauthorized access to sensitive data and resources. It serves as a reminder for organizations to regularly review their security practices and ensure that proper measures are in place to prevent such incidents.
The discovery of vulnerabilities in Windows Secure Boot is a reminder that even seemingly secure features can be prone to exploitation. As cybercriminals become more sophisticated in their techniques, it is crucial for security professionals to remain vigilant and proactive in identifying and addressing potential vulnerabilities.
Looking ahead, it is likely that we will continue to see an increase in the discovery of software vulnerabilities. As technology becomes more integrated into our daily lives, the potential attack surface for cybercriminals expands. Organizations must prioritize cybersecurity and invest in robust security measures to protect their systems and data.
In conclusion, the release of 147 security patches by Microsoft highlights the ever-present threat of software vulnerabilities. It serves as a reminder for both individuals and organizations to take cybersecurity seriously and implement strong security practices. As technology continues to advance, so do the tactics of cybercriminals, making it essential for us to remain vigilant and proactive in protecting our systems and data.