April’s Patch Tuesday was a record-breaker for Microsoft, with the software giant releasing patches for 147 vulnerabilities — more than researchers can recall ever seeing previously in a single month.
While the massive dump of fixes has the potential to keep security teams busy, only three of the flaws to be patched were rated as critical, and there were clusters of patches related to the same products.
This month’s list initially appeared to contain no zero-day vulnerabilities, but researchers were quick to correct this — pointing out to Microsoft that two of the bugs they fixed had been actively exploited.
Tenable senior staff research engineer Satnam Narang said the previous record for the most vulnerabilities patched in a month was in July 2023, when Microsoft addressed 130 CVEs.
The last time there were over 100 CVEs patched was October 2023, when Microsoft addressed 103.
Two exploited bugs patched
One of the zero-day vulnerabilities patched this month was a SmartScreen Prompt security feature bypass flaw, tracked as CVE-2024-29988. SmartScreen is a popup feature that warns users about running unknown files.
Dustin Childs of the Zero Day Initiative (ZDI) said in a post that the bug was found in the wild and reported by ZDI threat hunter Peter Girnus.
“We have evidence this is being exploited in the wild, and I’m listing it as such,” Childs said.
“The bug itself acts much like CVE-2024-21412 (which Microsoft patched in February) – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system.”
The other vulnerability already exploited in the wild was a proxy driver spoofing vulnerability (CVE-2024-26234) discovered by Sophos X-Ops.
Three critical bugs in Defender for IoT
All three patches for flaws rated as critical on this month’s list were remote code execution vulnerabilities related to Microsoft Defender for IoT: CVE-2024-21322, CVE-2024-21323 and CVE-2024-29054.
“An authenticated attacker with file upload privileges could get arbitrary code execution through a path traversal vulnerability,” Childs said.
“They would need to upload specially crafted files to sensitive locations on the target. It’s not clear how likely this would be, but anything that targets your defensive tools should be taken seriously.”
Multiple SQL Server and Secure Boot flaws patched
One factor contributing to the record number of patches fixed this month was that 40 were related to the same product: Microsoft SQL Server.
All 40 were given a “relatively high” CVSS score of 8.8, but were also listed by Microsoft as “Exploitation less likely,” said Immersive Labs senior director threat research Kev Breen.
“The main issue is with the Clients used to connect to an SQL server, not the server itself,” he said.
“[The less-likely exploitation rating] is most likely due to the social engineering required by an attacker to exploit them. All the reported vulnerabilities follow a similar pattern: for an attacker to gain code execution, they must convince an authenticated user inside an organization to connect to a remote SQL server the attacker controls. While not impossible, this is unlikely to be exploited at scale by attackers.”
Microsoft addressed 24 vulnerabilities in Windows Secure Boot — a feature designed to block malware being able to load when a machine is booting up. While the majority were rated “Exploitation less likely,” they were nonetheless noteworthy, according to Narang.
He pointed out that the last time Microsoft patched a Secure Boot Flaw (CVE-2023-24932), in May 2023, it was subsequently exploited in the wild and linked to BlackLotus UEFI bootkit malware.
“While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future,” Narang said.