Microsoft has addressed two zero-day security vulnerabilities in Windows that have been used in real-world attacks.
Microsoft has fixed two actively exploited zero-day vulnerabilities as part of the Patch Tuesday release on April 9th, 2024. Although the company did not initially recognize these vulnerabilities as such, they were identified and addressed in the latest update.
CVE-2024-26234: Proxy Driver Forgery
A vulnerability, registered under the identifier CVE-2024-26234, was identified as a proxy driver forgery. The vulnerability was found when tracking a malicious file that was signed using a valid Microsoft Hardware Publisher certificate. This file was discovered by Sophos X-Ops in December 2023 and was designated as the “Catalog Authentication Client Service” from the “Thales Catalog”.
Further investigation revealed that this file is likely an attempt to impersonate the Thales group, as it was previously linked to LaiXi, a marketing software for Android screen mirroring.
After the initial publication of the security bulletin, Redmond updated the exploitation status of CVE-2024-26234 to confirm that the vulnerability had been used in real-world attacks and had been publicly disclosed. Other malicious drivers signed with legitimate WHCP certificates had previously been reported in July 2023 and December 2022, but Microsoft had published security tips instead of assigning CVE IDs at that time.
CVE-2024-29988: Bypassing the Mark of the Web Protection
A second zero-day vulnerability, which was discreetly patched by Microsoft, has been registered as CVE-2024-29988. This vulnerability is described as a flaw that allows bypassing the SmartScreen security feature, and is caused by a weakness in the protection mechanism.
CVE-2024-29988 is related to CVE-2024-21412 and was disclosed by Peter Girnus from Trend Micro’s Zero Day Initiative, as well as Dmitry Lenz and Vlad Stolyarov from Google’s Threat Analysis Group. Dustin Childs, Head of Threat Awareness at ZDI, noted that the vulnerability has been actively used in attacks to deploy malware on Windows systems after bypassing detection mechanisms such as EDR/NDR and the Mark of the Web (MotW).
The commercial hacker group, Water Hydra, exploited CVE-2024-29988 and CVE-2024-21412, a zero-day vulnerability that was used on New Year’s Eve, to attack Forex trading forums and stock trading channels on Telegram. They did this by using “spear phishing” attacks and deploying a remote access Trojan (RAT), Dark Me. CVE-2024-21412 was a workaround for another vulnerability, CVE-2023-36025, which was fixed in November 2023. This vulnerability was exploited by the Ephemeral malware.
On April 9th, 2024, Microsoft released security patches for 150 vulnerabilities as part of Patch Tuesday. 67 of these were remote code execution vulnerabilities.