The first thing that anyone looking at the Microsoft security guidance this month will notice is the inclusion of Common Weakness Enumeration (CWE) information. Microsoft says this is working toward greater transparency and I commend them on that, but we’re still up against a reduction in transparency since the move from bulletins to security guidance and cumulative updates. This is something that many organizations that are serious about customer security already provide, so, in some ways, Microsoft is playing catch up by finally exposing this information. With that said, it’s still a step in the right direction.
For the past three months, we saw 56, 73, and 61 Microsoft issued CVEs released for January, February, and March respectively. This month, Microsoft has issued security guidance for 149 Microsoft issued CVEs along with them republishing 6 non-Microsoft CVEs, which makes this a very large month for enterprises to review. What is most notable is that a third of the vulnerabilities reference either Microsoft Security Boot or Microsoft SQL Server. Additionally, Azure features, including Microsoft Defender for IoT, account for 15 of the CVEs patched this month.
When Microsoft first released their April security guidance, they indicated that none of the vulnerabilities were publicly disclosed or being exploited. Shortly after the initial release, Microsoft released revision 1.1 of the security guidance for CVE-2024-26234 to indicate that it had been both publicly disclosed and exploited. Sophos is credited with reporting this issue and has provided an incredibly detailed write-up, while also linking to others who have discussed it. Based on the Sophos write-up, this threat actor has been operating for more than a year and special attention should likely be paid to the IOCs that they’ve released related to this investigation.
Click here for more Patch Tuesday analysis.