Microsoft has patched over 147 flaws in its largest Patch Tuesday release since 2017, including two actively exploited vulnerabilities.
One of the actively exploited bugs is an important-severity spoofing vulnerability in Windows Proxy Driver (CVE-2024-26234). While Microsoft on Tuesday originally said that the flaw was not being exploited in the wild, it later updated the advisory to confirm that the flaw had both been publicly disclosed and exploited.
The flaw was discovered by Christopher Budd, director of threat research with Sophos X-Ops. In an analysis of the exploitation activity surrounding the flaw released on Tuesday, Sophos researchers said that in December they found a malicious file, signed with a valid Microsoft Hardware Publisher Certificate. Upon further investigation, through looking at internal data and VirusTotal reports, researchers discovered the executable was previously bundled in a setup file for a product called LaiXi Android Screen Mirroring, which is marketed as software that connects and controls hundreds of mobile phones in order to automate tasks like following, liking and commenting in batches.
“It’s worth noting that while we can’t prove the legitimacy of the LaiXi software – the GitHub repository has no code as of this writing, but contains a link to what we assume is the developer’s website – we are confident that the file we investigated is a malicious backdoor,” said Andreas Klopsch with Sophos X-Ops in the Tuesday analysis.
According to researchers, the file would embed a tiny freeware proxy server, which they assessed was used by attackers to monitor and intercept network traffic on infected systems. Sophos researchers also noted that Stairwell researchers had published a separate independent investigation into LaiXi in January, which was based on a tweet by Johann Aydinbas.
"We immediately reported our findings to the Microsoft Security Response Center," according to Klopsch. "After validating our discovery, the team at Microsoft has added the relevant files to its revocation list (updated today as part of the usual Patch Tuesday cycle; see CVE-2024-26234)."
Another important-severity flaw in Microsoft's security update was reported by a security researcher as exploited in the wild. This flaw is in Microsoft’s SmartScreen Prompt, a security feature that’s part of Defender and warns users of websites that might be malicious. The vulnerability (CVE-2024-29988), which could enable remote code execution, is not listed by Microsoft as exploited in the wild, but according to Trend Micro, the flaw was discovered being targeted by attackers in the wild.
“This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited,” said Dustin Childs with the Zero Day Initiative in an analysis of the Patch Tuesday updates. “I would treat this as in the wild until Microsoft clarifies.”
According to Childs, the flaw enables attackers to bypass the Mark of the Web feature (Microsoft’s warning that’s added by Windows to files from an untrusted location) and execute malware on targeted systems. The flaw is similar to another actively exploited vulnerability disclosed by Microsoft in February (CVE-2024-21412), which was used in attacks to bypass Microsoft Defender SmartScreen and infect financial market trader companies with the DarkMe malware.
“Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW,” said Childs.
Though as of Wednesday, the vulnerability is still not listed as exploited by Microsoft in its security update, the company said that exploitation of the flaw is “more likely.” In order to exploit the bug, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown, according to Microsoft.
Peter Girnus with Trend Micro’s Zero Day Initiative, and Dmitrij Lenz and Vlad Stolyarov with Google's Threat Analysis Group, were credited with reporting the flaw.
Microsoft in its update also fixed three critical-severity flaws in Microsoft Defender for IoT, its security product for Internet of Things devices. All three flaws (CVE-2024-21322, CVE-2024-21323 and CVE-2024-29053) can enable remote code execution if exploited. Of these three bugs, CVE-2024-21322 has the highest CVSS score (8.8 out of 10), but Microsoft in its advisory for the flaw notes that attackers must have existing administrative access to the Defender for IoT web application in order to exploit the flaw.
“As is best practice, regular validation and audits of administrative groups should be conducted,” according to the security advisory.