Microsoft has released its monthly batch of security updates designed to fix more than 100 vulnerabilities, including two flaws said to have been exploited in the wild.
The first zero-day (CVE-2024-29988) is SmartScreen prompt bypass in Microsoft Windows related to insufficient implementation of the Mark of the Web (MotW) feature. A remote attacker can supply a malicious file inside an archive to bypass EDR/NDR detection, bypass the SmartScreen prompt and compromise the affected system.
The second actively exploited bug is tracked as CVE-2024-26234 and described as an Improper Access Issue within the Windows proxy driver that can be used by a local user to execute arbitrary code on the system.
Apart from noting that the exploitation of this flaw in the wild has been observed, Microsoft has not provided any details regarding the nature of attacks. However, cybersecurity firm Sophos released a report, according to which CVE-2024-26234 was used in the attack involving a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate that was discovered in December 2023.
An investigation revealed that the malicious file was previously bundled with a marketing software called LaiXi Android Screen Mirroring. Sophos said there’s no evidence that the LaiXi developers deliberately embedded the backdoor into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application. However, the company recommended that users consider possible risks before downloading, installing, and using LaiXi.
Besides the above-mentioned zero-day vulnerabilities, Microsoft’s April 2024 Patch Tuesday patches a slew of high-severity flaws affecting Microsoft Windows RRAS, Microsoft WDAC OLE DB Provider for SQL Server, Windows Cryptographic Services, Microsoft ODBC Driver for SQL Server, Microsoft OLE DB Driver for SQL Server, and other products.