Microsoft has caught many off guard with its latest Patch Tuesday rollout, addressing a staggering 149 vulnerabilities across various product lines, with 90 affecting Windows users. This marks the largest Patch Tuesday release in seven years. Among these vulnerabilities are two zero-day vulnerabilities, which were not initially disclosed as such by Microsoft. Security experts are highlighting three vulnerabilities in particular that deserve close attention.
Windows Zero-Day Security Vulnerability CVE-2024-26234
Shortly after the April Patch Tuesday updates were published, Microsoft reclassified CVE-2024-26234, a proxy driver spoofing vulnerability, as a zero-day vulnerability that has already been exploited in the wild by threat actors and publicly disclosed. Discovered by Sophos X-Ops researchers, this vulnerability acts as a backdoor in an executable, appearing valid and complete with a Microsoft Hardware Publisher Certificate. Despite being rated only as Important with a CVSS v3.1 score of 6.7, security experts, like Chris Goettl, vice-president of security products at Ivanti, caution that this vulnerability should not be underestimated.
SmartScreen Feature Bypass Zero-Day CVE-2024-29988
CVE-2024-29988 is a critical-rated vulnerability that allows bypassing of the SmartScreen security feature pop-up prompt. Ben McCarthy, lead cyber security engineer at Immersive Labs, explains that SmartScreen is a large popup that warns users about running an unknown file and is often the target of phishing attacks. Trend Micro Zero-Day Initiative has confirmed that CVE-2024-29988 has been exploited in the wild. McCarthy warns that this exploit, used in phishing with malicious attachments, could lead to more successful attacks.
CVE-2024-26256 Should Be a High Priority
CVE-2024-26256, another critical vulnerability, affects the open-source libarchive project, which is used for file and data stream compression. Kev Breen, senior director of threat research at Immersive Labs, notes that this library was introduced to Windows in 2023 to natively support .rar, gz, and tar files but has had vulnerabilities in the past. Despite its relatively low score of 7.8 for a remote code execution vulnerability, Microsoft lists CVE-2024-26256 as more likely to be exploited. However, for exploitation to occur, a threat actor would need to wait for “a user to make a connection,” according to Microsoft. Breen suggests that more details about the exploitable connection or service would help defenders proactively create security rules to detect potentially malicious traffic.
Leave a comment