Microsoft corks Windows zero-day on April Patch Tuesday

The company delivered one of its largest security update releases in recent years with a proxy driver spoofing vulnerability topping the patching priority list.

Admins have a Windows zero-day to address as part of one of the largest security update releases in recent memory.

Microsoft released security updates for 149 vulnerabilities for April Patch Tuesday, affecting a wide range of its software products, including Microsoft Office and its SQL Server database product. Most flaws are in the Windows operating system that admins can resolve with the cumulative update. There were also nine CVEs for the Azure cloud platform that will require extensive investigation and coordination by the Azure DevOps team to avoid breaking functionality due to the complex nature of Azure's interconnected services.

Windows zero-day tops patching priority list

Microsoft resolved a zero-day that was also publicly disclosed that affects Windows desktop and server OSes. CVE-2024-26234 is a proxy driver spoofing vulnerability rated important with a CVSS rating of 6.7. An attacker would need high privileges to exploit the flaw to spoof the identity of the proxy driver to take over the system.

Chris Goettl, vice president of product management for security products, IvantiChris Goettl

Microsoft reported the vulnerability was under active exploitation in the wild, which typically means admins should apply the Windows cumulative update to their systems quickly to avoid a security breach. Chris Goettl, vice president of product management for security products at Ivanti, said the relatively low rating and CVSS score could be problematic.

"This is going to be missed by a lot of organizations if they just do the standard approach to prioritizing updates," he said, adding "Chances are this is an example of one that could fly under the radar and not get prioritized effectively."

Multiple fixes released for SQL Server

Admins who manage Microsoft's SQL Server have more patching work than usual this month. The relational database management system product has 41 fixes, all for remote-code execution vulnerabilities.

"All the issues involve connecting to a malicious server that sends malicious data in order to compromise a client," Microsoft wrote on its SQL Server blog.

Goettl said that the amount of security updates coupled with the complexity of SQL Server management could put some organizations at risk because it takes time to deploy the patches in a safe manner.

Three critical Microsoft Defender for IoT flaws resolved

All three critical vulnerabilities for April Patch Tuesday affect Microsoft Defender for IoT, formerly Azure Defender for IoT, which checks IoT devices for security issues. CVE-2024-21322, CVE-2024-21323 and CVE-2024-29053 are all remote-code execution vulnerabilities.

One of the more dangerous flaws is CVE-2024-29053, which has an 8.8 CVSS rating.

"Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges," Microsoft wrote in its CVE notes.

Microsoft also tackled three additional Microsoft Defender for IoT flaws this month. CVE-2024-21324, CVE-2024-29054 and CVE-2024-29055 are all elevation-of-privilege vulnerabilities rated important.

Nine Azure vulnerabilities require attention this month

Enterprises that are heavily invested in Microsoft's Azure cloud platform could face up to nine vulnerabilities this month. The Azure DevOps team will need to investigate each CVE to determine the prerequisites, then prioritize the order to handle each correction.

The CVEs include the following:

  • Azure, CVE-2024-29993 (no CVSS rating).
  • Azure AI Search, CVE-2024-29063, CVSS 7.3.
  • Azure Arc, CVE-2024-28917, CVSS 6.2.
  • Azure Compute Gallery, CVE-2024-21424, CVSS 6.5.
  • Azure Migrate, CVE-2024-26193, CVSS 6.4.
  • Azure Monitor,   CVE-2024-29989, CVSS 8.4.
  • Azure Private 5G Core, CVE-2024-20685, CVSS 5.9.
  • Azure SDK, CVE-2024-29992, CVSS 8.0.
  • Microsoft Azure Kubernetes Service, CVE-2024-29990, 9.0.

According to Goettl, preparation is key for handling these Azure-related CVEs, some of which may require using PowerShell scripting or the Azure CLI to resolve.

"The good news is most of the vulnerabilities can be corrected in one place. You don't need to update every single machine across your entire environment, but there is a lot of configuration level work this month for Azure," he said.

Memory leak bug from March Patch Tuesday hits domain controllers

Admins who applied the March security update to their Windows Server machines might have experienced memory leak issues in the Local Security Authority Subsystem Service, leading to crashes on domain controllers.

Microsoft issued an out-of-band patch 10 days later on March 22 to fix the problem and recommended that admins install KB5037422 from the Microsoft Update Catalog.

Goettl said these types of issues can keep admins from patching in a timely manner. He said the IT department needs to find the balance to keep the business running without disruption while patching quickly to avoid security risks. He said one key to this process is to implement a pilot environment, then roll out patches in stages with user machines at the front and keep security updates for the most important systems at the end.

"In most breaches, they don't get straight to that that domain controller or SQL Server in the first hop," he said. "They get on an end user machine and move around the environment, collecting credentials, then they find their way into the sensitive areas. If you can mitigate the risk in the earlier part of that attack chain, that may offset the risk of delaying updates out to the critical infrastructure for a little while longer."

Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.

Next Steps

Microsoft handles 2 Windows zero-days on May Patch Tuesday

Dig Deeper on IT operations and infrastructure management