March 2024 Patch Tuesday: Comment from Satnam Narang, Senior Staff Research Engineer, Tenable

“Of the 60 CVEs patched in this month’s Patch Tuesday release, only six are considered more likely to be exploited according to Microsoft’s Exploitability Index. These mostly include elevation of privilege vulnerabilities including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS)), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler), which we often see exploited in the wild as zero-days as part of post-exploitation activity, typically by advanced persistent threat (APT) groups. APT groups are most likely to exploit zero-day elevation of privilege flaws compared to other types of cybercriminals, such as ransomware groups and their affiliates, because an APT group’s objective is typically espionage related. APT groups prefer to stay under the radar as much as possible, while a ransomware affiliate is focused on more of a smash and grab approach because their object is financial gain.

“While a number of the vulnerabilities this month are considered less likely to be exploited, they aren’t considered unlikely to be exploited. For instance, many of the vulnerabilities patched this month require social engineering to exploit. Whether it’s CVE-2024-21426, a remote code execution bug in Microsoft SharePoint Server, or CVE-2024-21443, an elevation of privilege flaw in Windows Kernel. This adds some complexity for an attacker, but if they are able to use social engineering to convince a potential target to open a file, then they will be able to take advantage of such flaws.

“An interesting vulnerability in this month’s Patch Tuesday release is CVE-2024-21390, an elevation of privilege flaw in Microsoft Authenticator. A prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application. If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app. While exploitation of this flaw is considered less likely, we know that attackers are keen to find ways to bypass multi-factor authentication. Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.

“The first quarter of Patch Tuesday in 2024 has been quieter compared to the last four years. On average, there were 237 CVEs patched in the first quarter from 2020 through 2023. In the first quarter of 2024, Microsoft only patched 181 CVEs. The average number of CVEs patched in March over the last four years was 86. This month, only 60 CVEs were patched. It’s unclear why there have been less CVEs patched this year. These numbers are more akin to the figures we saw in the first quarter of 2018 and 2019.”- Satnam Narang, Senior Staff Research Engineer, Tenable