Executive Summary
In the April 2024 Patch Tuesday, Microsoft released fixes for a total of 149 vulnerabilities, including 2 Zero days.
Additionally, Microsoft republished 6 non-Microsoft CVEs.
Out of those 6 flaws, 3 are related to Chromium, and 2 are related to a Lenovo security bypass.
We advise organisations to prioritise the installation of these patches by adopting a risk-based approach. Below is a summary of the zero-days and vulnerabilities with a CVSS score of 8+ that Microsoft addressed in this release. For more details, you can refer to the Microsoft April 2024 Security Updates.
As a side note, you can explore the key highlights for Microsoft Patch Tuesday in March 2024, addressing 61 flaws, here.
Zero-Days
Microsoft addressed the following zero-day vulnerabilities in their April 2024 Patch Tuesday Release.
CVE-2024-29988
CVE-2024-29988 is a SmartScreen security feature bypass vulnerability with a CVSS score of 8.8, related to Internet Shortcut files. Notably, in order to successfully exploit this vulnerability, the attacker must get the victim to click on a link or open a file.
CVE-2024-26234
CVE-2024-26234 is a security vulnerability with a CVSS score of 6.7. Specifically, it is related to a proxy driver spoofing vulnerability, related to the Windows Proxy Driver.
To successfully exploit this vulnerability, one had to use the Microsoft Windows Hardware Compatibility Publisher signature that was previously used to sign a file which contained a backdoor.
Windows
Microsoft April 2024 Patch Tuesday Release addresses following vulnerabilities with a CVSS score of 8+ affecting Windows Operating System:
- CVE-2024-20678, with a CVSS score of 8.8 on Windows Remote Procedure Call
- CVE-2024-26179, with a CVSS score of 8.8, Windows Routing and Remote Access Service (RRAS)
- CVE-2024-26205, with a CVSS score of 8.8, on Windows Routing and Remote Access Service (RRAS)
- CVE-2024-26200, with a CVSS score of 8.8, on Windows Routing and Remote Access Service (RRAS)
- CVE-2024-26180, with a CVSS score of 8.8, on Windows Secure Boot
- CVE-2024-26189, with a CVSS score of 8.8, on Windows Secure Boot
- CVE-2024-26240, with a CVSS score of 8.8, on Windows Secure Boot
- CVE-2024-28925, with a CVSS score of 8.8, on Windows Secure Boot
- CVE-2024-29050, with a CVSS score of 8, on Windows Cryptographic Services
- CVE-2024-26210, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL
- CVE-2024-26214, with a CVSS score of 8.8, on Microsoft WDAC ODBC Driver
- CVE-2024-26244, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL
- CVE-2024-29988, with a CVSS score of 8.8, on Internet Shortcut Files
SQL Server
Microsoft April 2024 Patch Tuesday Release includes fixes for numerous vulnerabilities with a CVSS score of 8+. Please refer to the list below:
- CVE-2024-28906 with a CVSS score of 8.8
- CVE-2024-28908 with a CVSS score of 8.8
- CVE-2024-28909 with a CVSS score of 8.8
- CVE-2024-28910 with a CVSS score of 8.8
- CVE-2024-28911 with a CVSS score of 8.8
- CVE-2024-28912 with a CVSS score of 8.8
- CVE-2024-28913 with a CVSS score of 8.8
- CVE-2024-28914 with a CVSS score of 8.8
- CVE-2024-28915 with a CVSS score of 8.8
- CVE-2024-28926 with a CVSS score of 8.8
- CVE-2024-28927 with a CVSS score of 8.8
- CVE-2024-28929 with a CVSS score of 8.8
- CVE-2024-28930 with a CVSS score of 8.8
- CVE-2024-28931 with a CVSS score of 8.8
- CVE-2024-28932 with a CVSS score of 8.8
- CVE-2024-28933 with a CVSS score of 8.8
- CVE-2024-28934 with a CVSS score of 8.8
- CVE-2024-28935 with a CVSS score of 8.8
- CVE-2024-28936 with a CVSS score of 8.8
- CVE-2024-28937 with a CVSS score of 8.8
- CVE-2024-28938 with a CVSS score of 8.8
- CVE-2024-28939 with a CVSS score of 8.8
- CVE-2024-28940 with a CVSS score of 8.8
- CVE-2024-28941 with a CVSS score of 8.8
- CVE-2024-28942 with a CVSS score of 8.8
- CVE-2024-28943 with a CVSS score of 8.8
- CVE-2024-28944 with a CVSS score of 8.8
- CVE-2024-28945 with a CVSS score of 8.8
- CVE-2024-29043 with a CVSS score of 8.8
- CVE-2024-29044 with a CVSS score of 8.8
- CVE-2024-29046 with a CVSS score of 8.8
- CVE-2024-29047 with a CVSS score of 8.8
- CVE-2024-29048 with a CVSS score of 8.8
- CVE-2024-29982 with a CVSS score of 8.8
- CVE-2024-29983 with a CVSS score of 8.8
- CVE-2024-29984 with a CVSS score of 8.8
- CVE-2024-29985 with a CVSS score of 8.8
Defender
Microsoft also addressed the following vulnerabilities with a CVSS score of 8+ in their April 2024 Patch Tuesday Release:
- CVE-2024-21323, with a CVSS score of 8.8, on Defender for IoT
- CVE-2024-29053, with a CVSS score of 8.8, on Defender for IoT
Microsoft Azure
Additionally, Microsoft addressed the following vulnerabilities with a CVSS score of 8+ in their April 2024 Patch Tuesday Release:
- Azure SDK vulnerability, CVE-2024-29992, with a CVSS score of 8.0
- Kubernetes Service vulnerability, CVE-2024-29990, with a CVSS score of 9.0
- Azure Monitor vulnerability, CVE-2024-29989, with a CVSS score of 8.4