Microsoft Patch Tuesday Tsunami: No Zero-Days, but an Asterisk

Microsoft outdid itself with this month's Patch Tuesday releases, which contain no zero-day patches, though at least one of the patches addresses a flaw already being actively exploited.

Products affected by the most recent Patch Tuesday updates include Windows and Windows Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot.

Microsoft's April update included 147 CVEs, three rated "Critical," 142 categorized as "Important," and two listed as "Moderate" in severity. That number swells to 155 CVEs if third-party flaws are included. The number represents a record high for Patch Tuesday fixes.

"Microsoft patched 147 CVEs in April, the largest number of CVEs patched in a month since we began tracking this data in 2017," Satnam Narang, senior staff researcher engineer at Tenable, said in a statement. "The last time there were over 100 CVEs patched was October 2023, when Microsoft addressed 103 CVEs." The previous high was in July 2023, with 130 CVEs patched, Narang added.

Microsoft did not indicate any of the April Patch Tuesday CVEs are zero-day threats, a welcome departure from last year's brisk clip of zero-day disclosures.

"This time last year, there were seven zero-day vulnerabilities exploited in the wild," Narang said. This year, there have only been two zero-days exploited and both were in February. "It's difficult to pinpoint why we've seen this decrease, whether it's just a lack of visibility or if it signifies a trend with attackers utilizing known vulnerabilities as part of their attacks on organizations."

However, Dustin Childs of the Zero Day Initiative noted in his April Microsoft Patch Tuesday analysis that his organization has evidence of a known exploited flaw in the list of this month's fixes.

Patch Tuesday Fixes to Prioritize

Childs pointed to the max-severity vulnerability in SmartScreen Prompt Security Feature Bypass (CVE-2024-29988) with a CVSS score of 8.8, which was discovered by ZDI but wasn't listed as exploited in Microsoft's Patch Tuesday update.

"However, the bug reported by ZDI threat hunter Peter Girrus was found in the wild," Childs added. "We have evidence this is being exploited in the wild, and I'm listing it as such."

Another max-severity bug impacting the Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2024-20678) was given a CVSS score of 8.8 and patched this month by Microsoft.

A spoofing vulnerability (CVE-2024-20670), listed as max-severity with a base CVSS of 8.1, was fixed in Outlook for Windows. And a Windows DNS Server Remote Code Execution, also listed as max-severity (CVE-2024-26221) with a CVSS score of 7.2, was patched as well.

Microsoft SQL Gets Plenty of Patches

Microsoft SQL Server vulnerabilities make up a large share of this month's Patch Tuesday fixes, according to Kev Breen, senior director threat research for Immersive Labs.

"While at first glance, it may appear that Microsoft has called out a large number of vulnerabilities in its latest notes, 40 of them are all related to the same product — Microsoft SQL Server," Breen said in a statement. "The main issue is with the Clients used to connect to an SQL server, not the server itself."

Breen went on to explain that all of these would require social engineering, making the SQL flaws difficult to exploit in any useful capacity.

"All the reported vulnerabilities follow a similar pattern: For an attacker to gain code execution, they must convince an authenticated user inside an organization to connect to a remote SQL server the attacker controls," Breen added. "While not impossible, this is unlikely to be exploited at scale by attackers."

Security teams concerned about these types of attacks should look for anomalous activity and block outbound connections except to trusted servers.

Microsoft SmartScreen Prompt and Secure Boot Flaws

Tenable's Narang noted this month's fix for the SmartScreen Prompt security feature bypass (CVE-2024-29988), with its CVSS score of 8.8, likewise relies on social engineering to make exploitation possible. A similar zero-day bug (CVE-2024-21412), discovered by the same researchers was used in a DarkGate campaign impersonating popular brands like Apple iTunes.

"Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites," Narang said. "However, as the name implies, these flaws bypass these security features, which leads to end users being infected with malware."

Narang also suggested security teams take a look at the 24 Windows Secure Boot flaw fixes included in Microsoft's April Patch Tuesday release.

"The last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on Dark Web forums for $5,000," he said.

BlackLotus malware is able to block security protections while booting up.

"While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future," Narang stressed.