Patch Tuesday: Windows Server 2008 receives emergency security patch

Microsoft’s latest Patch Tuesday for April 2024 covers 155 vulnerabilities, three of which are classified as critical. The update includes 145 classified as “important severity”.

There is also an emergency patch for the Proxy Driver Spoofing Vulnerability (CVE-2024-26234), which impacts Windows desktop and server operating systems. Microsoft has released security patches for end-of-life versions of the operating system including Windows Server 2008, where support ended on 14th January 2020.

Rapid7 noted that when it originally published the advisory for CVE-2024-26234, Microsoft did not indicate it was aware of in-the-wild exploitation or public exploit disclosure. However, late on the day of publication, Microsoft updated the advisory to acknowledge awareness of both in-the-wild exploitation and public disclosure.

Microsoft Defender for IoT, the Azure-deployable agentless tool for monitoring internet of things (IoT) and operational technology (OT) devices has three critical vulnerabilities addressed in the latest Patch Tuesday update.

The update patches three critical remote code execution (RCE) vulnerabilities in the tool. The first exploitation requires the attacker to have existing administrative access to the Defender for IoT web application.  

In a blog discussing the three critical vulnerabilities, Qualys stated that for the CVE-2024-21323 vulnerability, an attacker must be an administrator of the web application to exploit the vulnerability. Successful exploitation of the vulnerability may lead to remote code execution on target systems. CVE-2024-29053 also requires admin access.

Qualys said that successful exploitation of this path traversal vulnerability requires an authenticated attacker, with access to the file upload feature, to upload malicious files to sensitive locations on the server.

Like the other two attack vectors, the third critical vulnerability in Microsoft Defender for IoT, CVE-2024-21323, requires admin rights. Qualysy said an attacker must send a tar (tape archive) file to the Defender for IoT sensor. This is a file format used to compress data.

After the extraction process, where the file is uncompressed, the attacker may send unsigned update packages and overwrite any file they choose. The attacker must first authenticate themselves and gain the necessary permissions to initiate the update process, Qualys explained in the blog post.

Along with the critical vulnerabilities in Defender for IoT, the Patch Tuesday update includes a patch for CVE-2024-29988. This fixes a security bypass vulnerability for SmartScreen. Defender SmartScreen is a feature in Windows that helps protect users from online threats like malware and phishing.

It does this by checking websites and downloaded files against a database of unsafe websites. Lansweeper’s blog post covering CVE-2024-29988 reported that to exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that has no user interface.

“CVE-2024-29988 has a CVSS score of 8.8 and Microsoft lists it as one of the vulnerabilities that is more likely to be exploited,” Lansweep stated in the blog post.