Microsoft’s Record-Breaking Patch Tuesday: 147 New CVEs, No Zero-Days, but an Active Exploit

April 9, 2024

Microsoft's April Patch Tuesday update was a record-breaker, with the tech giant addressing 147 new Common Vulnerabilities and Exposures (CVEs). This is the highest number of CVEs patched in a single month since tracking began in 2017, according to Satnam Narang, a senior staff researcher engineer at Tenable.

The last time Microsoft patched over 100 CVEs was in October 2023, when it addressed 103 CVEs. The previous record high was in July 2023, with 130 CVEs patched. While none of the April Patch Tuesday CVEs are zero-day threats, at least one is already being actively exploited.

Compared to last year, the number of zero-day vulnerabilities has decreased significantly. "This time last year, there were seven zero-day vulnerabilities exploited in the wild," Narang said. So far this year, only two zero-days have been exploited, both in February. The reason for this decrease is unclear, but it might indicate a trend where attackers use known vulnerabilities in their attacks on organizations.

Dustin Childs of the Zero Day Initiative noted in his analysis of the April Microsoft Patch Tuesday that there is evidence of a known exploited flaw among this month's fixes. The flaw is a max-severity vulnerability in SmartScreen Prompt Security Feature Bypass (CVE-2024-29988) with a CVSS score of 8.8, which was discovered by ZDI but wasn't listed as exploited in Microsoft's Patch Tuesday update. "We have evidence this is being exploited in the wild, and I'm listing it as such," Childs added.

Other max-severity bugs patched this month by Microsoft include the Remote Procedure Call Runtime Remote Code Execution Vulnerability (CVE-2024-20678) with a CVSS score of 8.8, a spoofing vulnerability (CVE-2024-20670) with a CVSS score of 8.1 in Outlook for Windows, and a Windows DNS Server Remote Code Execution (CVE-2024-26221) with a CVSS score of 7.2.

A significant portion of this month's Patch Tuesday fixes are related to Microsoft SQL Server vulnerabilities, according to Kev Breen, senior director threat research for Immersive Labs. "The main issue is with the Clients used to connect to an SQL server, not the server itself," Breen said. All of these would require social engineering, making the SQL flaws difficult to exploit at scale.

Narang also highlighted the fix for the SmartScreen Prompt security feature bypass (CVE-2024-29988), which relies on social engineering for exploitation. A similar zero-day bug (CVE-2024-21412) was used in a campaign impersonating popular brands like Apple iTunes. "Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites," Narang said. "However, these flaws bypass these security features, which leads to end users being infected with malware."

Narang also drew attention to the 24 Windows Secure Boot flaw fixes included in Microsoft's April Patch Tuesday release. The last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023, it had a significant impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on Dark Web forums for $5,000. While none of the Secure Boot vulnerabilities patched this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future, Narang warned.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.