Microsoft’s April Patch Tuesday marked by RCE vulnerabilities pervading SQL servers

Microsoft signage pictured in New York City at night with passing traffic and pedestrians.
(Image credit: Getty Images)

Microsoft has released its security updates for April 2024, addressing 149 security flaws, 67 of which were remote code execution (RCE) vulnerabilities

Three of the 149 flaws were classified as critical vulnerabilities pertaining to patches protecting against RCE attacks on Windows IoT devices.

A further two zero-day vulnerabilities were updated by Microsoft to reflect active exploitation in the wild.

The lion’s share of the vulnerabilities patched in the update, 67 of the 149 total, related to RCE vulnerabilities in Microsoft SQL drivers, which has raised concerns among security experts. 

Leonarda Granda, solutions architect leader at Vicarius, said this suggests the flaws stem from a common vulnerability, noting that only three were listed as critical and warning security admins not to be complacent in their patching procedures.

"Notably, more than half of the Remote Code Execution flaws reside within Microsoft SQL drivers, pointing at a potential shared vulnerability. Among these, only three are deemed critical and involve patches for RCE attacks on Windows IoT devices. However this is more complex than it may seem.”

Granda outlined how these flaws might manifest themselves into security incidents in a small-to-medium business with more than 200 assets to protect, highlighting the importance of safeguarding an organization’s critical systems. 

“Consider a single SMB company that owns over 200 assets; each month, they are required to address more than 100 vulnerabilities associated with Microsoft alone,” Granda said. 

“When you factor in IoT devices, which are often located in remote zones and have limited visibility to IT administrators, it becomes even easier for a hacker to find a single vulnerability in these exposed assets with just a simple Shodan query.”

“This security update from Microsoft serves as a reminder that safeguarding IoT devices against hacks is absolutely critical to protect users' privacy. The highest priority right now is to ensure the security of critical systems, and maintain the integrity of networks and data."

Microsoft updates two zero-days exploited in the wild

Microsoft had to update its entries for two zero-day vulnerabilities that were initially listed as not actively exploited after threat researchers at Trend Micro and Sophos shared evidence showing exploitation.

The vulnerabilities in question, CVE-2024-26234 and CVE-2024-29988, are classified as medium and high severity respectively, with scores of 6.7 and 8.8 on the National Vulnerability Database’s CVSS rating.

CVE-2024-26234 is a proxy driver spoofing vulnerability involving a malicious executable file signed with a Microsoft Hardware Publisher Certificate. 

A blog detailing the CVE from Sophos X-Ops claims the driver was first discovered in December 2023, and the researchers found the file was attempting to imitate the global IT company Thales Group.

Sophos said the file was originally included in mobile software called LaiXi used for screen mirroring on Android devices, and stated their researchers were confident the file was a malicious backdoor.

Meanwhile, CVE-2024-29988 is a SmartScreen prompt security feature bypass vulnerability that, if exploited, could allow attackers to circumvent Microsoft Defender’s SmartScreen defenses.

A researcher at Trend Micro’s Zero Day Institute (ZDI) reportedly found the vulnerability being exploited in the wild, despite Microsoft initially stating the flaw was not under active exploitation.

Dustin Childs, head of threat awareness at the ZDI said the flaw behaves a lot like another SmartScreen vulnerability disclosed in February 2024, in a blog post summarizing the April security updates.

“The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.