Patch Tuesday April 2024: Lots of Fixes for Secure Boot and Remote Code Execution Vulnerabilities

The first Patch Tuesday of Spring brings the highest number of fixes for vulnerabilities in recent memory. System Admins and supporting teams will have a lot on their plates this month with the potential need to schedule in multiple reboots and additional mitigations to deal with Secure Boot vulnerabilities, and to contend with planning for impending end of support dates as well as changes in extended support for a range of Microsoft software and services.

Microsoft Vulnerabilities

April’s Patch Tuesday brings fixes for 147 vulnerabilities with a handful of additional updates over the next few days to bring the total to 156 vulnerabilities being addressed this month as of writing. Only two are rated as Critical, 13 as Exploitation More Likely, and two designated as Zero-Day vulnerabilities.

One of the notable trends in this month’s collection of vulnerabilities is the number of Secure Boot vulnerabilities that are receiving fixes. Secure Boot has been a concern since late 2022, with the initial identification of the BlackLotus UEFI Bootkit. This rootkit allows malicious code to bypass the Secure Boot feature and load malware before the OS and other security tools have an opportunity to stop it. Rootkit style attacks lost popularity with threat actors when UEFI and Secure Boot became widely adopted. Now that there have been successful cyber threat campaigns run leveraging BlackLotus, this style of attack will likely continue… as they say, once the genie’s out of the bottle!

There were 25 vulnerabilities addressed this month concerning Secure Boot Security Feature Bypass vulnerabilities. CVE-2023-24931 received updates to include Windows 11 23H2 for ARM and x64 as being affected and addressed by updates. Per Microsoft release notes “April 24 security updates provide the latest mitigations. Note that these mitigations are off by default”. Make sure to read Microsoft’s guidance on additional steps needed to implement security mitigations KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 – Microsoft Support.

CVE-2024-26234 is one of the zero-days of the month and is currently marked as under active exploitation. This Proxy Driver Spoofing vulnerability affects systems as far back as Windows Server 2008 and leverages a valid Microsoft Hardware Publisher Certificate sign a malicious executable. For a detailed write-up on its discovery see Sophos X-Ops report.

CVE-2024-29988 is the second zero-day of the month and while it is only designated as exploitation more likely there are already reports that it is being exploited in the wild. This SmartScreen Prompt Security Bypass vulnerability allows the bypass to escape Mark of the Web and deliver payloads in zipped or archived files.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd