April 10, 2024 at 06:18AM
Microsoft’s April 2024 Patch Tuesday updates fix around 150 vulnerabilities, including two zero-day exploits. The first, CVE-2024-26234, involves a proxy driver spoofing flaw in Windows, reportedly linked to an Android app named LaiXi associated with a backdoor. Microsoft addressed this issue by adding relevant files to its driver revocation list. The second vulnerability, CVE-2024-29988, pertains to a SmartScreen prompt security feature bypass. Trend Micro’s Zero Day Initiative confirmed its exploitation in the wild.
From the meeting notes, it is clear that Microsoft’s recent Patch Tuesday updates for April 2024 address a significant number of vulnerabilities, including two zero-day vulnerabilities that have been exploited to deliver malware.
One of the vulnerabilities, CVE-2024-26234, was reported by Sophos and involves a proxy driver spoofing issue. This vulnerability was exploited to embed a malicious backdoor file into an Android screen mirroring application called LaiXi.
Further analysis by Sophos revealed that the malicious file contains a small freeware proxy server used to monitor and intercept network traffic on infected systems. While Sophos did not find evidence of deliberate embedding of the malicious file by the LaiXi developers, it cautioned users to be extremely cautious when downloading, installing, and using LaiXi.
Additionally, another vulnerability, CVE-2024-29988, was reported by Trend Micro’s Zero Day Initiative and is a SmartScreen prompt security feature bypass that has been observed as being exploited in the wild by the threat group Water Hydra (DarkCasino). This vulnerability can be used to bypass the Mark of the Web (MotW) security feature.
It’s important to note that Microsoft’s advisory for CVE-2024-29988 does not mention malicious exploitation, but ZDI’s Peter Girnus, credited by Microsoft for reporting the vulnerability, confirmed its exploitation during research into the Water Hydra campaign.
In response to these findings, Microsoft addressed both vulnerabilities in its Patch Tuesday updates by adding the relevant files to its driver revocation list. It’s evident that these vulnerabilities pose significant risks, and it’s essential for users to stay vigilant and apply the latest security updates from Microsoft to protect their systems.