Microsoft plugs a record-breaking 147 security holes on Patch Tuesday

generic code hacker security blueImage: Markus Spiske/Pexels

On Patch Tuesday on April 9, 2024, Microsoft provided several security updates to fix 147 vulnerabilities. Microsoft classifies three vulnerabilities in Microsoft Defender for IoT as critical and classifies all but two of the other vulnerabilities as high risk. According to Microsoft, none of the vulnerabilities have been exploited for attacks to date. However, this could change at any time. Trend Micro has also spotted ZDI exploit code in the wild.

Microsoft offers sparse details on the vulnerabilities for self-searching in its security update guide. Dustin Childs presents the topic of Update Tuesday much more clearly in the Trend Micro ZDI blog – always with an eye on admins who manage corporate networks. According to Dustin Childs, he doesn’t remember Microsoft ever patching as many security vulnerabilities in one month as it did this April.

The most important security vulnerabilities on Patch Day in April

CVE vulnerable software Severity Impact exploited known in advance

CVE-2024-29988Windows smart screenhighSFByes (?)noCVE-2024-26257OfficehighRCEnonoCVE-2024-28925 and othersWindows, Secure BoothighSFBnonoCVE-2024-26221 and othersWindows, DNShighRCEnono

RCE: Remote Code Execution
SFB: Security Feature Bypass

The large number of vulnerabilities patched in April is due not least to a number of RCE (Remote Code Execution) vulnerabilities in the OLE DB driver for SQL Server (38), DHCP and DNS servers (9) and SFB vulnerabilities in Secure Boot (24). Although the updates for Secure Boot fix the errors, they still need to be activated with additional steps (KB5025885).

Browser updates

The latest security update for Edge is version 123.0.2420.81 from 4 April. It is based on Chromium 123.0.6312.106 and fixes several vulnerabilities in the Chromium base. The Microsoft developers have also fixed two Edge-specific security vulnerabilities.

Office vulnerabilities

Microsoft has closed two gaps in the products of its Office family, both of which are labelled as high risk. These include CVE-2024-26257, an RCE vulnerability in Excel. This affects Microsoft 365 Apps for Business and Office LTSC for Mac 2021 – Office for Mac traditionally receives security updates with some delay. The second vulnerability is a spoofing vulnerability (CVE-2024-26251) in Sharepoint Server. In addition, CVE-2024-20670 is a spoofing vulnerability in Outlook for Windows.

Vulnerabilities in Windows

the best antivirus we’ve tested

Norton 360 Deluxe

Norton 360 DeluxeRead our reviewPrice When Reviewed:$49.99 for the first yearBest Prices Today:$19.99 at PCWorld Software Store | $49.99 at Norton

The majority of the vulnerabilities, 91 this time, are spread across the various Windows versions (10 and newer as well as Server) for which Microsoft still offers security updates for all. Although Windows 7 and 8.1 are no longer mentioned in the security reports, they could still be vulnerable. If the system requirements allow it, you should switch to Windows 10 (22H2) or Windows 11 to continue receiving security updates.

0-day exploit in Windows or not?

In Microsoft’s information on the current Update Tuesday, there is no indication that any of the patched vulnerabilities are already being used in attacks or that exploit code for any of the vulnerabilities is in circulation. However, Dustin Childs notes in the ZDI blog that exploits for a vulnerability discovered by his colleague Peter Girrus have indeed been spotted in the wild.

This concerns the SFB (Security Feature Bypass) vulnerability CVE-2024-29988 in the Smart Screen Filter. It is similar to the vulnerability CVE-2024-21412 from February, which was exploited by the APT group Water Hydra (also known as Dark Casino) to inject malware. Exploitation of such a vulnerability means that Windows Defender does not mark a file downloaded from the Internet with the “Mark-of-the-Web” (MotW) attribute and therefore does not warn against opening the (potentially unsafe) file. This is therefore called a security feature bypass.

Critical IoT vulnerabilities

Microsoft only classifies three RCE vulnerabilities in Microsoft Defender for IoT (Internet of Things or Smart Home) as critical. These are supplemented by three EoP (Elevation of Privilege) vulnerabilities. It remains unclear how likely such an attack is at this point. However, you should take every possible attack on your lines of defense seriously.

Further reading: The best antivirus software we’ve tested

This article was translated from German to English and originally appeared on

Frank Ziemann ist seit 2005 als freier Autor für die PC-WELT tätig, schreibt News und Testberichte. Seine Themenschwerpunkte sind IT-Sicherheit (Malware, Antivirus, Sicherheitslücken) und Internet-Technik.

Recent stories by Frank Ziemann:

Google eliminates 12 security vulnerabilities in ChromeFoxit PDF eliminates 50 security vulnerabilitiesUpdate now! Firefox plugs critical vulnerability that’s already being attacked

Leave a Response