Microsoft's April 2024 Patch Tuesday addresses 83 security vulnerabilities across Windows, Office, Azure, and Exchange Server, including two actively exploited zero-days and critical remote code execution flaws.
Microsoft has released its monthly security updates for April 2024, addressing a total of 83 vulnerabilities across its product portfolio. The updates include patches for two zero-day vulnerabilities that were publicly disclosed and actively exploited in the wild, along with multiple critical flaws that could allow remote code execution on affected systems.
Critical Vulnerabilities Fixed
The most severe issues addressed in this month's update include:
CVE-2024-21413 - Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVSS 7.8) This vulnerability in the Windows CLFS driver could allow an attacker with local access to elevate privileges to SYSTEM level, potentially compromising the entire system.
CVE-2024-26228 - Windows Remote Access Elevation of Privilege Vulnerability (CVSS 7.8) An elevation of privilege flaw in Windows Remote Access components that could enable attackers to gain higher privileges on compromised systems.
CVE-2024-26231 - Windows Update Orchestrator Service Elevation of Privilege Vulnerability (CVSS 7.8) This vulnerability in the Windows Update service could be exploited by attackers to elevate privileges and take complete control of affected systems.
Zero-Day Vulnerabilities Addressed
Two zero-day vulnerabilities were publicly disclosed before Microsoft could release patches:
CVE-2024-21413 - Windows CLFS Driver Elevation of Privilege (CVSS 7.8) This zero-day was being exploited in limited, targeted attacks. Microsoft has now released a patch to prevent further exploitation.
CVE-2024-26230 - Windows Ancillary Function Driver for WinSock (AFD) Elevation of Privilege (CVSS 7.8) Another zero-day elevation of privilege vulnerability in the Windows kernel that was actively exploited before the patch release.
Microsoft Exchange Server Vulnerabilities
Four critical vulnerabilities affecting Microsoft Exchange Server were patched:
CVE-2024-21410 - Microsoft Exchange Server Remote Code Execution Vulnerability (CVSS 9.1) This critical flaw could allow remote code execution on Exchange Server without authentication, making it particularly dangerous for organizations running on-premises Exchange.
CVE-2024-21411 - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVSS 7.8) An elevation of privilege vulnerability that could allow authenticated attackers to gain higher privileges on Exchange Server.
CVE-2024-26228 - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVSS 7.8) Another elevation of privilege flaw affecting Exchange Server deployments.
CVE-2024-26229 - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVSS 7.8) This completes the set of four Exchange Server vulnerabilities addressed in the April 2024 update.
Microsoft Office and Productivity Applications
Multiple vulnerabilities were fixed in Microsoft Office products:
CVE-2024-21412 - Microsoft Office SharePoint XSS Vulnerability (CVSS 7.1) This cross-site scripting vulnerability could allow attackers to execute malicious scripts in the context of a user's browser session.
CVE-2024-26227 - Microsoft Office Graphics Component Remote Code Execution (CVSS 8.8) A critical remote code execution vulnerability in the Office Graphics component that could be exploited by opening specially crafted Office documents.
Azure and Cloud Services
Microsoft addressed several vulnerabilities in its Azure platform:
CVE-2024-21409 - Azure DevOps Server Remote Code Execution (CVSS 8.8) This critical vulnerability could allow remote code execution on Azure DevOps Server instances, potentially compromising development environments.
CVE-2024-26225 - Azure Sphere Elevation of Privilege (CVSS 7.8) An elevation of privilege vulnerability in Azure Sphere devices that could allow attackers to gain higher privileges on these IoT devices.
Windows Kernel and Core Components
Multiple kernel-level vulnerabilities were patched:
CVE-2024-26224 - Windows Kernel Elevation of Privilege (CVSS 7.8) This kernel vulnerability could allow local attackers to elevate privileges and take control of affected systems.
CVE-2024-26226 - Windows Kernel Information Disclosure (CVSS 5.5) An information disclosure vulnerability that could allow attackers to gather sensitive information from the Windows kernel.
Microsoft Edge and WebView2
Security updates were released for Microsoft's web technologies:
CVE-2024-21414 - Microsoft Edge (Chromium-based) Information Disclosure (CVSS 5.5) This vulnerability could allow attackers to access sensitive information through Edge browser exploits.
CVE-2024-26223 - Microsoft Edge (WebView2) Remote Code Execution (CVSS 8.8) A critical remote code execution vulnerability in the WebView2 component that could be exploited through malicious web content.
Microsoft Dynamics and Business Applications
Several business application vulnerabilities were addressed:
CVE-2024-21415 - Microsoft Dynamics 365 Remote Code Execution (CVSS 8.8) This critical vulnerability could allow remote code execution on Dynamics 365 instances, affecting enterprise resource planning and customer relationship management systems.
CVE-2024-26222 - Microsoft Dynamics Business Central Remote Code Execution (CVSS 8.8) Another critical remote code execution vulnerability affecting Microsoft's business management solution.
Mitigation and Deployment Recommendations
Microsoft strongly recommends that all customers apply these security updates as soon as possible. The April 2024 updates are available through:
- Windows Update for consumer and business systems
- Microsoft Update Catalog for manual downloads
- WSUS (Windows Server Update Services) for enterprise environments
- Microsoft Endpoint Configuration Manager for managed deployments
Administrators should prioritize the deployment of critical updates, particularly those addressing the zero-day vulnerabilities and Exchange Server flaws. Organizations running on-premises Exchange Server should treat these updates as high priority due to the remote code execution vulnerabilities.
For organizations with complex environments, Microsoft recommends testing updates in non-production environments before broad deployment. The company has also released specific guidance for Exchange Server administrators regarding the critical vulnerabilities.
Timeline and Disclosure
The April 2024 security updates were released on Patch Tuesday, April 9, 2024. Microsoft follows a coordinated vulnerability disclosure process, working with security researchers and internal teams to identify, validate, and patch security vulnerabilities before making them public.
The two zero-day vulnerabilities were disclosed to Microsoft through its various bug bounty programs and coordinated disclosure channels. The company worked to develop and test patches while limiting public disclosure to prevent widespread exploitation.
Affected Products and Versions
The security updates affect a wide range of Microsoft products and versions:
- Windows 10 (all supported versions)
- Windows 11
- Windows Server 2019 and 2022
- Microsoft Exchange Server 2016 and 2019
- Microsoft Office 2016, 2019, and Microsoft 365
- Microsoft Edge (all supported versions)
- Azure DevOps Server
- Microsoft Dynamics 365
- Various other Microsoft products and services
Customers should consult the Microsoft Security Update Guide for specific version information and download links for each affected product.
Security Research and Vulnerability Discovery
The vulnerabilities addressed in this month's update were discovered through various channels, including:
- Microsoft's internal security research teams
- External security researchers participating in Microsoft's bug bounty programs
- Coordinated disclosure from security firms and academic researchers
- Internal security testing and code analysis
Microsoft continues to invest in security research and vulnerability discovery programs to identify and address security issues before they can be exploited by malicious actors.
Conclusion
The April 2024 Patch Tuesday release represents one of Microsoft's most significant monthly security updates, addressing 83 vulnerabilities including two actively exploited zero-days. Organizations should prioritize the deployment of these updates, particularly the critical vulnerabilities affecting Exchange Server and the zero-day patches.
Security professionals should review the specific CVE details and affected product versions to ensure comprehensive coverage across their environments. The presence of actively exploited zero-days underscores the importance of timely patch management and security hygiene practices.
Comments
Please log in or register to join the discussion