Patch Tuesday Microsoft fixed 149 security flaws in its own products this week, and while Redmond acknowledged one of those vulnerabilities is being actively exploited, we've been told another hole is under attack, too.
The bug the IT giant said was being abused in the wild is CVE-2024-26234, described as a proxy driver spoofing vulnerability in Windows.
Microsoft initially listed it as non-exploited then during the day upgraded that to exploited.
Running the program would introduce the backdoor on the victim's PC. Now, according to Sophos, Microsoft has revoked the software's certification and assigned the issue CVE-2024-26234.
According to Redmond, that was the only security hole exploited in the wild addressed in its Patch Tuesday for April.
Trend Micro's Zero Day Initiative says a separate vulnerability, spotted and reported by bug hunter Peter Girrus, was under attack in the wild before Microsoft issued a patch this week.
Let's start with the bug ZDI categorizes as being under exploit in the wild.
This one is a SmartScreen prompt security feature bypass vulnerability tracked as CVE-2024-29988, and it received an 8.8 out of 10 CVSS severity rating.
Assuming an attacker can fool someone into clicking on a malicious link or opening a malware-laden file, the bug allows them to bypass the SmartScreen security feature in Windows that's supposed to alert users to any untrusted websites or other threats.
While Microsoft's monthly patch party fixes 70 CVEs that allow remote code execution, it only classified three of these as critical-severity bugs and all three are in Microsoft Defender for IoT. First up: CVE-2024-21322, which received a 7.2 CVSS rating.
Adobe this month issued nine patches that fix 24 CVEs across its products, and none are listed as under attack or publicly known.
Two critical vulnerabilities, one in Adobe Commerce and another present in Media Encoder could allow remote code execution.
SAP released a dozen new and updated security notes.
Of the trio, #3434839 patches a so-called security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine that received an 8.8 CVSS score.
Another high priority note, #3421384, fixes an information disclosure vulnerability in SAP BusinessObjects Web Intelligence, while the third high priority one, #3438234, addresses a directory traversal vulnerability in two programs of SAP Asset Accounting.
Fortinet released updates to fix security holes in FortiOS and FortiProxy.
CVE-2023-48784, in the FortiOS command line interface could allow a local attacker with admittedly super-admin privileges and CLI access to execute arbitrary code.
Plus, there's a patch for CVE-2024-23662 in FortiOS that, if the bug is exploited, can lead to information disclosure.
The most serious of the bunch is an unauthenticated command injection vulnerability in SD-WAN Edge tracked as CVE-2024-22246.
Rounding out April's Patchapalooza, albeit over a week early, Google has addressed almost 30 bugs affecting Android devices in this month's Android Security Bulletin.
This Cyber News was published on go.theregister.com. Publication date: Wed, 10 Apr 2024 00:58:04 +0000