Microsoft's April 2024 Patch Tuesday Addresses 149 Flaws, Including Two Exploited Zero-Days

Executive Summary

Microsoft's April 2024 Patch Tuesday update addressed a substantial 149 vulnerabilities, with two zero-days, CVE-2024-26234 and CVE-2024-29988, being actively exploited in the wild. CVE-2024-26234 is a proxy driver spoofing vulnerability that allows an attacker to trick the system into loading a malicious driver, potentially leading to privilege escalation. CVE-2024-29988 is a bypass of the SmartScreen security feature, which could enable attackers to execute malicious code by evading security prompts designed to protect users. The active exploitation of these vulnerabilities elevates their risk profile significantly, requiring immediate attention from system administrators to apply the necessary patches and prevent compromise.

Vulnerability Details

CVE-2024-26234 - Proxy Driver Spoofing Vulnerability

This vulnerability allows a malicious actor to create a file that appears to be a legitimate, signed driver. An attacker could exploit this to install a malicious driver, which would then execute with kernel-level privileges. This type of flaw is often used in post-compromise scenarios to escalate privileges and establish persistence on a system.

CVE-2024-29988 - SmartScreen Security Feature Bypass Vulnerability

This vulnerability allows an attacker to craft a file that bypasses the Windows SmartScreen security feature. Normally, SmartScreen would warn a user that a downloaded file is potentially unsafe. By exploiting this flaw, an attacker can ensure that their malicious file is presented to the user without any security warnings, greatly increasing the likelihood that the user will open it and become infected.

Affected Systems

• Various versions of Microsoft Windows and Windows Server are affected. The specific versions are detailed in Microsoft's security advisories for each CVE.

Exploitation Status

Both CVE-2024-26234 and CVE-2024-29988 were confirmed by Microsoft to be actively exploited at the time of the patch release. The existence of functional exploit code and ongoing attacks makes these vulnerabilities a high priority for remediation. Threat actors are likely incorporating these exploits into their attack chains for initial access (via SmartScreen bypass) and privilege escalation (via driver spoofing).

Impact Assessment

• CVE-2024-26234 (Driver Spoofing): A successful exploit could lead to a full system compromise. An attacker with initial access could use this to gain SYSTEM-level privileges, allowing them to disable security software, install persistent backdoors, and access all data on the machine.
• CVE-2024-29988 (SmartScreen Bypass): This vulnerability significantly lowers the bar for successful phishing and malware delivery campaigns. By removing a key user-facing security warning, attackers can more easily trick users into executing malicious payloads, leading to initial compromise of the user's workstation and, potentially, the wider corporate network.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns which could indicate related activity:

Detection & Response

• Patch Management Systems: Use your patch management system to verify that the April 2024 security updates have been applied to all Windows endpoints and servers. Prioritize systems based on their exposure and criticality.
• EDR Queries: Use your EDR solution to hunt for signs of exploitation. For CVE-2024-26234, look for the loading of any unsigned or newly created drivers. For CVE-2024-29988, look for the execution of files from user download directories that have a low reputation score but did not generate a SmartScreen alert.
• User Awareness: Remind users to be cautious about opening unsolicited files, even if they do not see a security warning. Reinforce phishing awareness training.

Mitigation

1. Apply Patches: The primary and most effective mitigation is to apply the April 2024 security updates from Microsoft. Utilize Windows Update, WSUS, or your preferred patch management solution to deploy these updates as quickly as possible. This is an application of D3FEND's Software Update technique.
2. Application Control: Implement application control policies, such as Windows Defender Application Control (WDAC), to restrict the execution of unauthorized software and drivers. This can help mitigate the impact of both vulnerabilities.
3. Attack Surface Reduction (ASR): Enable ASR rules to block common attack vectors, such as blocking executable content from email clients and web browsers.
4. Principle of Least Privilege: Ensure that users are operating with standard user accounts, not administrative accounts. This will not prevent the SmartScreen bypass but can limit the impact of a subsequent malware execution.