April’s Patch Tuesday brings record number of fixes – Krebs talks security

If only Patch Tuesdays were a rare occurrence—as rare as a total solar eclipse—rather than sneaking up on us every month like Man in the Moon .Although to be fair, this is Microsoft Eclipses the number of vulnerabilities fixed in this month’s patch batch – a record 147 vulnerabilities Windows and related software.

Yes, you read that right. Microsoft today released updates to address 147 security vulnerabilities in Windows, office, sky blue, .NET Framework, visual studio, SQL server, DNS server, Windows Defender, bit lockand Windows security startup.

“This is Microsoft’s biggest release of the year and the biggest release since at least 2017,” said Dustin Childsfrom Trend Micro’s Zero-Day Initiative (ZDI). “As far as I know, this is Microsoft’s largest Patch Tuesday release ever.”

Once again this month, there are no known zero-day vulnerabilities threatening Windows users. There are a huge number of patches this month, and many of the bugs are of medium severity. Only three of April’s vulnerabilities received Microsoft’s most feared “critical” rating, meaning they could be abused by malware or malcontents to remotely take control of unpatched systems without user help.

Most of the flaws that Microsoft considers “more likely to be exploited” this month are marked as “important,” which typically involve bugs that require more user interaction (social engineering) but can still lead to system security bypasses, compromises, and the theft of critical assets.

Ben McCarthyChief Cybersecurity Engineer Immersive Lab Please be aware of CVE-2024-20670, Outlook for Windows The spoofing vulnerability is described as easy to exploit. It involves convincing users to click on a malicious link in an email, which can then steal the user’s password hash and authenticate the user to other Microsoft services.

Another interesting bug pointed out by McCarthy is CVE-2024-29063, which involves hard-coded credentials in the Azure search backend infrastructure, which can be exploited by Azure Artificial Intelligence search.

“This, along with the many other AI attacks in the news recently, shows a potential new attack surface that we are learning how to mitigate,” McCarthy said. “Microsoft has updated their backend and notified anyone whose credentials have been compromised. Customers affected by the breach.”

CVE-2024-29988 is a vulnerability that allows attackers to bypass Windows Smart Screen, a Microsoft technology designed to provide end users with additional protection against phishing and malware attacks. Childs said a ZDI researcher discovered that the vulnerability was being exploited, although Microsoft does not currently list CVE-2024-29988 as an exploited vulnerability.

“Until Microsoft clarifies, I’m going to view this as wild behavior,” Childs said. “The bug itself behaves very much like CVE-2024-21412 – [zero-day threat from February] It bypasses network tagging functionality and allows malware to execute on the target system. Threat actors evade EDR/NDR detection by sending a compressed file vulnerability, and then use this vulnerability (and others) to bypass Mark of the Web. “

sananarang exist tenable noted that this month’s release includes fixes for two dozen bugs Windows security startupmost of which are considered “unlikely to be exploited,” according to Microsoft.

“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a significant impact as it was widely exploited and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000 ,” Narang said. “BlackLotus can bypass a feature called Secure Boot, which is designed to prevent malware from loading at boot. While none of the Secure Boot vulnerabilities addressed this month have been exploited in the wild, they serve as a reminder of the flaws in Secure Boot Still exists, and we may see more malicious activity related to Secure Boot in the future.”

For links to individual security advisories indexed by severity, check out ZDI’s blog and SANS Internet Storm Center’s Patch Tuesday posts. Please consider backing up your data or drives before updating, and if you encounter any problems applying these fixes, please leave a note in the comments here.

Adobe today released nine patches that address at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Business, design, experience manager, media encoder, bridge, illustratorand Adobe animation.

KrebsOnSecurity needs to correct a bit of the record from a late-March “Fat Patch Tuesday” post that looked at the new AI capabilities built into it Adobe Acrobat Enabled by default. Adobe has since clarified that its apps do not use artificial intelligence to automatically scan your documents, as the original language in its FAQ suggested.

Adobe said earlier this month: “In fact, no file scanning or analysis will occur unless the user actively uses AI capabilities by agreeing to the terms, opening the file, and selecting the AI ​​Assistant or the Generate Summary button for a specific file.”