News Hub

Almost 150 flaws fixed by Microsoft in significant April security patch release

Written by Thu 11 Apr 2024

In the Microsoft April 2024 security update, the tech giant fixed 149 flaws, with three being classified as critical.

Two more vulnerabilities were marked as zero-day, where active exploitation happened before the patch. A wide range of products, including Microsoft Office Excel, Windows BitLocker and Microsoft Install Service, received security updates.

Microsoft Defender for IoT saw three critical vulnerabilities addressed, as CVE-2024-29053 was deemed the most dangerous with a CVSS rating of 8.8, with 10 being the highest rank possible.

“An authenticated attacker with access to the file upload feature could exploit this path traversal vulnerability by uploading malicious files to sensitive locations on the server,’ said Microsoft in an update.

Flaws actively exploited by hostile actors represent the most urgent issues to fix. One of the active vulnerabilities enabled hostile groups to bypass Microsoft Defender SmartScreen’s protections and make users open malicious files, with another being a spoofing vulnerability in Proxy Driver.

The Azure cloud platform saw a total of nine vulnerabilities recognised. Concerningly, Remote Code Execution vulnerabilities in Microsoft SQL drivers represented 67 of the 149 vulnerabilities, including three critical vulnerabilities. For enterprises running any software with a vulnerability, the most pressing issues revolve around fixing both actively exploited vulnerabilities and critical vulnerabilities.

According to Dustin Childs of the Zero Day Initiative (ZDI), as there is a history of Remote Procedure Call bugs being out in the open, any that could execute code would be highly problematic. Referencing the Remote Procedure Call Runtime Remote Code Execution Vulnerability, Childs says that while it does require authentication, it does not require elevated permission.

“Any authenticated user could hit it. It is not clear if you could hit this if you authenticated as a Guest or an anonymous user. A quick search shows about 1.3 million systems with TCP port 135 exposed to the internet. I expect a lot of people will be looking to exploit this in short order,” said Child.

Join Tech Show London

12-13 March 2025, ExCeL London

Be a part of the latest tech conversations and discover pioneering innovations.

You won’t want to miss one of the most exciting technology events of the year.

Written by Thu 11 Apr 2024

Send us a correction Send us a news tip