Microsoft Patches 150 Flaws Including Two Zero-Days

Written by

This month’s Patch Tuesday security update round from Microsoft was a busy one, with 150 CVEs fixed including two zero-days actively exploited in attacks.

The two zero-days are CVE-2024-29988 and CVE-2024-26234.

“Microsoft fixed a SmartScreen Prompt security feature bypass vulnerability this month with CVE-2024-29988, which is credited to some of the same researchers that disclosed a similar flaw in February (CVE-2024-21412) that was exploited as a zero-day,” explained Satnam Narang, senior staff research engineer at Tenable. “Social engineering through direct means (email and direct messages) that requires some type of user interaction is a typical route for exploitation for this type of flaw.”

The second zero-day is described as a “proxy driver spoofing” bug, but the flaw was initially not reported by Microsoft as being under live exploitation. That has changed after notification by Sophos.

Read more on Patch Tuesday: Microsoft Fixes Two Zero-Days in February Patch Tuesday

In total, there were just three critical-rated vulnerabilities patched this month by Microsoft – CVE-2024-29053, CVE-2024-21322 and CVE-2024-21323. All of these are listed as Microsoft Defender for IoT remote code execution vulnerabilities.

“These vulnerabilities have been critically rated for their potential impact on the confidentiality, integrity and availability of the systems they afflict. Stemming from an absolute path traversal flaw, as categorized by the Common Weakness Enumeration (CWE-36), these vulnerabilities expose a pathway for attackers to access and manipulate directories and files located beyond the web root folder,” explained Action1 president, Mike Walters.

“The exploitation of such vulnerabilities could empower an attacker to remotely execute arbitrary code on a victim’s system. The implications of this are profound, ranging from full system control, service disruptions, sensitive data leakage, to further network propagation.”

Of the 60+ remote code execution (RCE) flaws fixed this month, more than half are found in SQL drivers.

What’s hot on Infosecurity Magazine?