Microsoft Patch Tuesday: 149 Security Vulnerabilities & Zero-days

On April Patch Tuesday, Microsoft fixed 149 bugs—one of the biggest security update releases in the company’s history. 

Many of its software products, such as Microsoft Office and its SQL Server database package, have fixed vulnerabilities.

The majority of vulnerabilities are in the Windows operating system, and nine CVEs were found in the Azure cloud platform.

Three of the 149 issues are classified as Critical, 142 as Important, three as Moderate, and one as Low in severity.

The update also addresses a vulnerability tracked as CVE-2024-26234, which is currently being exploited.

Details Of The Flaw Exploited In The Wild

CVE-2024-26234 – Proxy Driver Spoofing Vulnerability

Proxy driver spoofing vulnerability is tracked as CVE-2024-26234 and has a CVSS rating 6.7.

An attacker would require high privileges to take over the system, exploit the vulnerability, and spoof the proxy driver.

Microsoft fixed this zero-day vulnerability that impacted Windows desktop and server operating systems and was made public.

Administrators should promptly install the Windows cumulative update on their systems to prevent a security compromise, as this vulnerability is actively exploited in the wild.

Critical Flaws Addressed

CVE-2024-21322 – Microsoft Defender For IoT Remote Code Execution Vulnerability

This vulnerability, which has a CVSS base score of 7.2, is classified as critical for Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

“Successful exploitation of this vulnerability requires the attacker to be an administrator of the web application. As is best practice, regular validation and audits of administrative groups should be conducted”, Microsoft said.

CVE-2024-21323 – Microsoft Defender For IoT Remote Code Execution Vulnerability

Microsoft Defender for IoT Remote Code Execution Vulnerability has a base CVSS score of 8.8.

For the IoT sensor to successfully exploit this issue, the attacker must be able to deliver a malicious update package over the network to the Defender.

The attacker first needs to establish their identity and obtain the required authorization to start the update procedure. 

“Successfully exploiting this path traversal vulnerability would require an attacker to send a tar file to the Defender for IoT sensor.”

Microsoft said that after the extraction process, the attacker could send unsigned update packages and overwrite any file they chose.

CVE-2024-29053 – Microsoft Defender For IoT Remote Code Execution Vulnerability

This is also a critical Microsoft Defender for IoT,  Remote Code Execution Vulnerability, with a CVSS base score of 8.8. 

Any authorized attacker can exploit this vulnerability. Admin or other advanced rights are not needed.

“An authenticated attacker with access to the file upload feature could exploit this path traversal vulnerability by uploading malicious files to sensitive locations on the server,” Microsoft.

Azure Vulnerabilities Addressed

• CVE-2024-29993 – Azure
• CVE-2024-29063 – Azure AI Search
• CVE-2024-28917- Azure Arc
• CVE-2024-21424 – Azure Compute Gallery
• CVE-2024-26193 – Azure Migrate
• CVE-2024-29989 – Azure Monitor
• CVE-2024-20685- Azure Private 5G Core
• CVE-2024-29990 – Microsoft Azure Kubernetes Service

Additionally, 41 SQL Server fixes have been released, all of which address issues related to remote code execution.

In addition to the vulnerabilities addressed in this month’s Patch Tuesday release, Microsoft has republished six CVEs.

It is recommended that users upgrade the impacted products to prevent threat actors from exploiting these vulnerabilities.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.