Aggregator

【补丁日速递】2024年4月微软补丁日安全风险通告

How will the sudden emergence of artificial intelligence (AI) platforms such as ChatGPT influence future ransomware attacks? Right now, there are so many pessimistic answers to this question it can be hard to judge the real-world risk they pose. On the one hand, there’s no doubt that AI can easily be used to improve individual […]

The post AI Will Power a New Generation of Ransomware, Predicts Britain’s NCSC appeared first on Ransomware.org.

It’s the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for April 2024

For April, Adobe released nine patches addressing 24 CVEs in Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate. The largest of these updates is for Experience Manager, however, all of the bugs being patched are simple Cross-site Scripting (XSS) bugs. Still, if exploited, these Important-severity bugs could lead to code execution if exploited. The only other patches that address multiple CVEs are the fixes for Animate and Commerce. The patch for Animate addresses four bugs. Two of these are rated Critical and could lead to arbitrary code execution. The patch for Commerce also fixes two Critical-rated bugs, one XSS and one improper input validation bug. Both could lead to code execution.

Then we have several patches that are all info leaks due to an Out-Of-Bounds (OOB) read. These were all reported by the same person, and it makes me wonder if there is shared code between these products that makes them all vulnerable. In any case, After Effects, Photoshop, InDesign, Bridge, and Illustrator all fall into this category. That just leaves the update for Media Encoder. This patch fixes a single buffer overflow that could lead to code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for April 2024

This month, Microsoft released a whopping 147 new CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot. If you include the third-party CVEs being documented this month, the CVE count comes to 155. A total of three of these bugs came through the ZDI program. None of the bugs disclosed at Pwn2Own Vancouver are fixed with this release.

Of the new patches released today, only three are rated Critical, 142 are rated Important, and two are rated Moderate in severity. This is the largest release from Microsoft this year and the largest since at least 2017. As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time. It’s not clear if this is due to a backlog from the slower months or a surge in vulnerability reporting. It will be interesting to see which trend continues.

None of the CVEs released today are listed as currently under active attack and none are listed as publicly known at the time of release. However, the bug reported by ZDI threat hunter Peter Girnus was found in the wild. We have evidence this is being exploited in the wild, and I’m listing it as such.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug we consider to be currently exploited in the wild:

-       CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability
This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.

-       CVE-2024-20678 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
There is a long history of RPC exploits being seen in the wild, so any RPC bug that could lead to code execution turns heads. This bug does require authentication, but it doesn’t require any elevated permission. Any authenticated user could hit it. It’s not clear if you could hit this if you authenticated as Guest or an anonymous user. A quick search shows about 1.3 million systems with TCP port 135 exposed to the internet. I expect a lot of people will be looking to exploit this in short order.

-       CVE-2024-20670 – Outlook for Windows Spoofing Vulnerability
This bug is listed as a spoofing bug, but based on the end result of exploitation, I would consider this information disclosure. In this case, the information disclosed would be NTLM hashes, which could then be used for Spoofing targeted users. Either way, a user would need to click something in an email to trigger this vulnerability. The Preview Pane is NOT an attack vector. However, we have seen a rash of NTLM relaying bugs over the last few months. With the wide user base of Outlook, this will likely be targeted by threat actors in the coming months.

-       CVE-2024-26221 – Windows DNS Server Remote Code Execution Vulnerability
This is one of seven DNS RCE bugs being patched this month and all are documented identically. These bugs allow RCE on an affected DNS server if the attacker has the privileges to query the DNS server. There is a timing factor here as well, but if the DNS queries are timed correctly, the attacker can execute arbitrary code on the target server. Although not specifically stated, it seems logical that the code execution would occur at the level of the DNS service, which is elevated. I really don’t need to tell you that your DNS servers are critical targets, so please take these bugs seriously and test and deploy the patches quickly.

Here’s the full list of CVEs released by Microsoft for April 2024:

*Note that post-release, Microsoft confirmed CVE-2024-26234 is also under active attack. The table has been updated to reflect this new information

CVE Title Severity CVSS Public Exploited Type CVE-2024-29988 SmartScreen Prompt Security Feature Bypass Vulnerability Important 8.8 No Yes RCE CVE-2024-26234 Proxy Driver Spoofing Vulnerability Important 6.7 Yes Yes Spoofing CVE-2024-21322 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 7.2 No No RCE CVE-2024-21323 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 8.8 No No RCE CVE-2024-29053 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 8.8 No No RCE CVE-2024-21409 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability Important 7.3 No No RCE CVE-2024-29063 † Azure AI Search Information Disclosure Vulnerability Important 7.3 No No Info CVE-2024-28917 † Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability Important 6.2 No No EoP CVE-2024-21424 † Azure Compute Gallery Elevation of Privilege Vulnerability Important 6.5 No No EoP CVE-2024-29993 Azure CycleCloud Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2024-26193 † Azure Migrate Remote Code Execution Vulnerability Important 6.4 No No RCE CVE-2024-29989 † Azure Monitor Agent Elevation of Privilege Vulnerability Important 8.4 No No EoP CVE-2024-20665 BitLocker Security Feature Bypass Vulnerability Important 6.1 No No SFB CVE-2024-26212 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-26215 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-26195 DHCP Server Service Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26202 DHCP Server Service Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26219 HTTP.sys Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-2201 * Intel: CVE-2024-2201 Branch History Injection Important 4.7 No No Info CVE-2024-23593 * Lenovo: CVE-2024-23593 Zero Out Boot Manager and drop to UEFI Shell Important 7.8 No No SFB CVE-2024-23594 * Lenovo: CVE-2024-23594 Stack Buffer Overflow in LenovoBT.efi Important 6.4 No No SFB CVE-2024-26256 libarchive Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-29990 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP CVE-2024-26213 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-28904 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-28905 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-28907 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-21324 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP CVE-2024-29054 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP CVE-2024-29055 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP CVE-2024-26257 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-26158 Microsoft Install Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26209 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26208 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26232 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.3 No No RCE CVE-2024-28929 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28930 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28931 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28932 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28933 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28934 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28935 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28936 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28937 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28938 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28941 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28943 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29043 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28906 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28908 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28909 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28910 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28911 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28912 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28913 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28914 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28915 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28926 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28927 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28939 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28940 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28942 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28944 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28945 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29044 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29045 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 7.5 No No RCE CVE-2024-29046 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29047 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29048 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29982 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29983 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29984 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29985 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26251 Microsoft SharePoint Server Spoofing Vulnerability Important 6.8 No No Spoofing CVE-2024-26254 Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-26210 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26244 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26214 Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-20670 Outlook for Windows Spoofing Vulnerability Important 8.1 No No Spoofing CVE-2024-20678 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-20669 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-20688 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB CVE-2024-20689 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB CVE-2024-26168 † Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB CVE-2024-26171 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-26175 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-26180 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-26189 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-26194 † Secure Boot Security Feature Bypass Vulnerability Important 7.4 No No SFB CVE-2024-26240 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-26250 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28896 † Secure Boot Security Feature Bypass Vulnerability Important 7.5 No No SFB CVE-2024-28897 † Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB CVE-2024-28898 † Secure Boot Security Feature Bypass Vulnerability Important 6.3 No No SFB CVE-2024-28903 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28919 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28920 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-28921 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28922 † Secure Boot Security Feature Bypass Vulnerability Important 4.1 No No SFB CVE-2024-28923 † Secure Boot Security Feature Bypass Vulnerability Important 6.4 No No SFB CVE-2024-28924 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28925 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-29061 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-29062 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB CVE-2024-26241 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-21447 Windows Authentication Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-29056 Windows Authentication Elevation of Privilege Vulnerability Important 4.3 No No EoP CVE-2024-29050 Windows Cryptographic Services Remote Code Execution Vulnerability Important 8.4 No No RCE CVE-2024-26228 Windows Cryptographic Services Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-26229 Windows CSC Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26237 Windows Defender Credential Guard Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26226 Windows Distributed File System (DFS) Information Disclosure Vulnerability Important 6.5 No No Info CVE-2024-29066 Windows Distributed File System (DFS) Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26221 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26222 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26223 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26224 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26227 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26231 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26233 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26172 Windows DWM Core Library Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26216 Windows File Server Resource Management Service Elevation of Privilege Vulnerability Important 7.3 No No EoP CVE-2024-29064 Windows Hyper-V Denial of Service Vulnerability Important 6.2 No No Info CVE-2024-26183 Windows Kerberos Denial of Service Vulnerability Important 6.5 No No DoS CVE-2024-26248 Windows Kerberos Elevation of Privilege Vulnerability Important 7.5 No No EoP CVE-2024-20693 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26218 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26220 Windows Mobile Hotspot Information Disclosure Vulnerability Important 5 No No Info CVE-2024-26211 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26207 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26217 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26255 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-28900 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-28901 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-28902 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26252 Windows rndismp6.sys Remote Code Execution Vulnerability Important 6.8 No No RCE CVE-2024-26253 Windows rndismp6.sys Remote Code Execution Vulnerability Important 6.8 No No RCE CVE-2024-26179 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26200 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26205 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26245 Windows SMB Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-29052 Windows Storage Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26230 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26239 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26242 Windows Telephony Server Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-26235 Windows Update Stack Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26236 Windows Update Stack Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-26243 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-29992 Azure Identity Library for .NET Information Disclosure Vulnerability Moderate 5.5 No No Info CVE-2024-20685 Azure Private 5G Core Denial of Service Vulnerability Moderate 5.9 No No DoS CVE-2024-29049 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability Moderate 4.1 No No Spoofing CVE-2024-29981 Microsoft Edge (Chromium-based) Spoofing Vulnerability Low 4.3 No No Spoofing CVE-2024-3156 * Chromium: CVE-2024-3156 Inappropriate implementation in V8 High N/A No No RCE CVE-2024-3158 * Chromium: CVE-2024-3158 Use after free in Bookmarks High N/A No No RCE CVE-2024-3159 * Chromium: CVE-2024-3159 Out of bounds memory access in V8 High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

Moving on to the Critical-rated bugs, all impact Microsoft Defender for IoT. An authenticated attacker with file upload privileges could get arbitrary code execution through a path traversal vulnerability. They would need to upload specially crafted files to sensitive locations on the target. It’s not clear how likely this would be, but anything that targets your defensive tools should be taken seriously.

All told, there are almost 70 fixes for bugs that could lead to code execution in this release. The (somewhat) good news is that nearly half of these impact SQL server components. In these cases, an attacker would need to have an affected system connect to a specially crafted SQL database and perform a query. If you can socially engineer that, then you will get code execution. However, that does seem unlikely. More practically, I would concern myself with the DNS and DHCP code execution bugs in this release. I’ve already mentioned the DNS bugs. For the DHCP bugs, the attacker would need elevated privileges. This would be a good time to audit your DHCP server to see who has privileges and who should be removed. The fix for Azure Migrate is only network adjacent, but you’ll need to take extra steps to be fully protected. You need to the latest Azure Migrate Appliance's AutoUpdater, which ensures MSI installers downloaded from the Download Center have been authentically signed by Microsoft prior to installation. Check here for more details. There is an update for Excel to address an open-an-own bug, but you’re out of luck if you’re on macOS. Updates for Apple users are not available yet.

There’s a mountain of elevation of privilege (EoP) patches in this month’s release, and in most cases, exploitation requires an attacker to log on the an affected system then run their code. Again, this usually results in getting code to elevate to SYSTEM. The Azure EoPs are a little bit different and require some extra steps. The bug in Azure Arc-enabled Kubernetes could allow an attacker to gain access to sensitive information, such as Azure IoT Operations secrets and potentially other credentials or access tokens stored within the Kubernetes cluster. You’ll also need to update any affected Extensions that are used in your environment and ensure you update your Azure Arc Agent. The bug in Azure Content Gallery also needs extra actions to be protected. This bug has been mitigated by the latest change to the Azure Compute Gallery (ACG) image creation permission requirements, which means you’ll need to check the permissions and possibly update them. For information on how to update permissions, see here for details. For the Azure Monitor Agent EoP, you need to make sure you have Automatic Extension Upgrades enabled. If you don’t you can manually get the updates following these instructions. Finally, the bug in the Azure Kubernetes Service also needs some extra work. To be fully protected, you need to ensure you are running the latest version of “az confcom” and Kata Image. If you don’t have “az conform” installed, you can get the latest version by running the command “az extension add -n conform”. See the bulletin for full details.

Moving on to the security feature bypass (SFB) bugs, how in the world are there 23 different SFB patches for Secure Boot? As if that isn’t enough, you’ll need to take additional steps to be protected. The patch fixes the bugs, but the protections aren’t enabled by default. You’ll need to check out this KB article and follow the instructions listed there. With 23 bugs and manual actions needed to address them, I don’t think we should call it “secure” boot anymore. Other SFB bugs include one that could bypass RSA signature verification and a bug in BitLocker that could also bypass secure boot. At least that one just requires a patch and no extra steps.

There are more than a dozen information disclosure bugs. Fortunately, most only result in info leaks consisting of unspecified memory contents. The bug in Azure AI Search could allow an attacker to obtain sensitive API Keys. While this bug has been mitigated by a recent update to Azure AI Search's backend infrastructure, you’ll need to manually rotate specific credentials that have been notified through Azure Service Health alerts. The bug in Azure Identity Library for .NET could divulge data inside the targeted website like IDs, tokens, nonces, and other sensitive information. At least there are no additional steps beyond the patch for this one. Finally, the bug in Windows DFS could disclose the ever-descriptive “sensitive information”.

The April release is rounded out by a handful of spoofing and denial-of-service (DoS) bugs. Microsoft doesn’t provide a lot of useful information here, but if you need to focus on something, the DoS bugs in the DHCP service are where I’d start. Shutting down DHCP for any time in an enterprise will likely lead to a “no fun at all” day.

Finally, Microsoft has updated ADV99001 with the latest servicing stack updates. Be sure to check them out.

Looking Ahead

The next Patch Tuesday of 2024 will be on May 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

As 5G networks continue to grow in order to meet the increasing demands of mission-critical applications, concerns over cybersecurity are top-of-mind. The vast volume of data transmitted across 5G networks offers a ripe target for exploitation. According to a recent Palo Alto Networks study, nearly 70 percent of C...

Mensen die zich soeverein verklaren keren zich af van de overheid en andere instituties. Hoewel ze veelal een open houding houden richting andere mensen, verspreiden ze wel feitelijk onjuiste verhalen over de, volgens hen, kwade intenties van de instituties. Ook willen ze zelf bepalen of wet- en regelgeving op hen van toepassing is.

Tips to help you secure and reduce interactive access to your cloud infrastructure.

近日,“谛听”团队李文轩博士撰写的论文被国际期刊《IEEE Internet of Things Journal》录用。

   同理, 也可以嵌入其它字体了 

最近，小日子在设计中做了些减法，让产品看上去更轻盈通透，让核心功能更聚焦凸显。

针对一道面试题样本的详细分析

In this post, you'll discover how GreyNoise is reshaping cybersecurity using AI, with initiatives for anomaly discovery and targeted attack identification. Also, get up to speed on our new plug-in for Microsoft Copilot for Security.

一次通过代码审计对目标网站进行渗透，并通过http特性成功getshell的案例

Last week my daughter lost her phone. Due to this unfortunate event, she also lost the ability to call or message anyone she knew on another device because she did not know anyone’s phone numbers. This is not unusual in today’s world: We rarely have to remember anyone’s phone number anymore, because it is stored in our...

Todos los profesionales dentro de este mundillo conocemos Hacktricks, ¿verdad? A inicios de 2024 nos sorprendió con ARTE (AWS Red...

关于如何在长三角地区的自家菜园成功种植花生的主题式研究