Microsoft recently released security updates for 150 vulnerabilities as part of its monthly Patch Tuesday event. Two of the patched vulnerabilities were identified as being actively exploited by security researchers, despite Microsoft not labelling them as such.
The first vulnerability, CVE-2024-26234, is associated with a malicious driver signed with a valid Microsoft Hardware Publisher Certificate and previously associated with the deployment of a backdoor. While the vulnerability had been disclosed to Microsoft, it wasn’t assigned a CVE until Patch Tuesday.
The second zero-day vulnerability, CVE-2024-29988, allows threat actors to bypass patches for previous vulnerabilities, CVE-2024-21414 and CVE-2023-26025, to skip Microsoft Defender SmartScreen prompts when attachments are opened. This attack vector was previously used by the financially motivated threat actor, Water Hydra, while targeting foreign exchange trading forums and stock trading Telegram channels with spearphishing attacks that deployed the DarkMe remote access trojan (RAT).
The other 148 flaws addressed in this month’s Patch Tuesday include over 60 remote code execution (RCE) and 31 elevation of privilege vulnerabilities.
Source: Bleeping Computer
Identify, manage, and reduce cyber risk with your free attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
Analysis
Two of the vulnerabilities addressed by Microsoft in this week’s update were discovered and disclosed by Field Effect’s Principal Security Developer, Erik Egsgard.
The first of these vulnerabilities, designated CVE-2024-26229 and provided a severity rating of 7.8, is a privilege elevation flaw that could allow a threat actor already running code with user-level privileges to gain system-level privileges.
The second vulnerability, designated CVE-2024-29050 and provided a severity rating of 8.4, is an RCE flaw that could allow a threat actor to remotely execute code on servers with a vulnerable configuration running the affected versions of Windows.
Executing CVE-2024-29050
Erik has a long track record of discovering and responsibly disclosing vulnerabilities in Microsoft products. In late 2022, while conducting a routine review of telemetry from our MDR endpoints, Erik discovered three security vulnerabilities in the Windows operating system, two of which were ranked as critical. Microsoft patched all three vulnerabilities, CVE-2023-21688, CVE-2023-23416, and CVE-2023-23415, in early 2023.
This is in addition to the six zero-day privilege escalation bugs and one information leak vulnerability Erik discovered in 2021. It was found that these bugs had been present since Windows Vista (Server 2008) was released in 2007 which, at the time of disclosure, meant that almost every Windows computer in the world was vulnerable.
The discovery and responsible disclosure of flaws in Windows and other products is vital to staying steps ahead of threat actors who leverage any vulnerability they can to enable their malicious activities. It’s also one of many ways Field Effect’s cybersecurity professionals contribute to improving cybersecurity at large.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances, and operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities.
Covalence users will be automatically notified if vulnerable versions of Windows and other Microsoft products are detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages all users to download and install the latest Microsoft updates as soon as possible. Field Effect also encourages users to enable automatic updates when possible.