Patch Tuesday - April 9 2024

Patch Tuesday - April 9 2024

Microsoft fixes 150 flaws in April 2024 Patch Tuesday Security Updates. Two zero-day’s were fixed in this month’s security updates.

UPDATE: Additional Information regarding zero day vulnerabilitie has been added as Microsoft did not initially address them as exploited.

On the second Tuesday of each month, Microsoft releases advisories and patches to fix flaws, vulnerabilities, and zero-day exploits in what has come to be known as Patch Tuesday. Below is the rundown of this month’s Patch Tuesday.

Microsoft patches 150 vulnerabilities, 2 zero-day exploits this month

Today, according to Microsoft’s April 2024 Security Update [Release notes][releasenotes], the software company released fixes for 149 flaws in its Microsoft Windows and Microsoft Windows Server operating systems, and other Microsoft products. Let’s break down this month’s fixes. Zero-Day’s

According to [Bleeping Computer][bleepingcomputer], “Microsoft initially failed to mark the zero days as actively exploited, but Sophos and Trend Micro shared information on how they were actively exploited in attacks”: • CVE-2024-26234 - Proxy Driver Spoofing Vulnerability • CVE-2024-29988 - SmartScreen Prompt Security Feature Bypass Vulnerability

Vulnerability Breakdown

Below is the breakdown of the type of vulnerabilities in this month’s release and how many of each type:

Impact Type Number
Denial of Service 7
Elevation of Privilege 31
Information Disclosure 13
Remote Code Excecution 67
Security Feature Bypass 29
Spoofing 3

Critical Vulnerabilities

Microsoft listed three vulnerabilities as critical in this month’s release, all three of which affecting the Microsoft Defender for IoT product.

CVE Number Vulnerability Title
CVE-2024-29053 Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2024-21323 Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2024-21322 Microsoft Defender for IoT Remote Code Execution Vulnerability

About Timothy Wilson

Tim is an avid homelabber with a passion for information security, threat hunting, and vulnerability research.