Security Update Review for Microsoft and Adobe's April 2024 Patch Tuesday, examining essential fixes for vulnerabilities in their systems and applications.

==========================================================================================

In the latest Patch Tuesday, Microsoft and Adobe have addressed a multitude of vulnerabilities across their respective product lines. Here's a roundup of the key findings.

Microsoft Addresses Multiple Vulnerabilities

Microsoft has addressed 155 vulnerabilities in its April 2024 Patch Tuesday, including 3 critical and 145 important severity vulnerabilities. Notable among these are the Remote Code Execution (RCE) vulnerabilities in Microsoft Defender for IoT (CVE-2024-21322, CVE-2024-21323) and the Microsoft Message Queuing (MSMQ) RCE Vulnerability (CVE-2024-26232) with a CVSS score of 7.3 (High) and 6.4 (Medium).

CVE-2024-21322 requires an administrator of the web application to exploit, while CVE-2024-21323 necessitates an authenticated attacker with access to the file upload feature. Successful exploitation of these vulnerabilities may lead to remote code execution on target systems.

Microsoft Defender for IoT Vulnerabilities

Two path traversal vulnerabilities (CVE-2024-21323, CVE-2024-29053) have been identified in Microsoft Defender for IoT. CVE-2024-29053 requires an authenticated attacker with access to the file upload feature to upload malicious files to sensitive locations on the server.

Other Affected Microsoft Products

The April 2024 Microsoft vulnerabilities affect a wide range of product families and products/versions, including Windows BitLocker, Windows Secure Boot, Microsoft Office Outlook, Windows Remote Procedure Call, Azure Private 5G Core, Windows Kernel, Windows Authentication Methods, Microsoft Install Service, Windows DWM Core Library, Windows Routing and Remote Access Service (RRAS), Windows Kerberos, Azure Migrate, Windows Remote Access Connection Manager, Windows Message Queuing, Windows Local Security Authority Subsystem Service (LSASS), Microsoft WDAC OLE DB provider for SQL, Microsoft Brokering File System, Microsoft WDAC ODBC Driver, Windows HTTP.sys, Windows Mobile Hotspot, Windows Distributed File System (DFS), Windows Cryptographic Services, Windows Update Stack, Windows Defender Credential Guard, Windows Win32K - ICOMP, Windows Telephony Server, Windows USB Print Driver, Microsoft Office SharePoint, Windows Internet Connection Sharing (ICS), Windows Virtual Machine Bus, Windows Compressed Folder, Microsoft Office Excel, Azure Arc, Microsoft Edge (Chromium-based), Windows, Azure AI Search, Internet Shortcut Files, Azure Monitor, Microsoft Azure Kubernetes Service, Azure SDK, Azure, and Intel.

Qualys Support

Qualys Research team hosts a monthly webinar series to help customers leverage Qualys Vulnerability Management Detection Response (VMDR) and Patch Management. The series discusses high-impact vulnerabilities, including those from this month's Patch Tuesday alert, and walks through the necessary steps to address key vulnerabilities using Qualys VMDR and Patch Management.

You can see all your impacted hosts by these vulnerabilities using the following QQL query in Qualys VMDR:

The following Policy Compliance Control IDs have been updated for CVE-2024-26232: 14297, 14916, and 4030. Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).

Adobe Addresses Multiple Vulnerabilities

Adobe has released nine security advisories to address 24 vulnerabilities in Adobe After Effects, Adobe Photoshop, Adobe Commerce, Adobe InDesign, Adobe Experience Manager, Adobe Media Encoder, Adobe Bridge, Adobe Illustrator, and Adobe Animate. Five of these vulnerabilities are given critical severity ratings.

The next Patch Tuesday falls on May 14, and the Qualys Research team will return with details and patch analysis. Previous Patch Tuesday reviews are available for March and January 2024. Subscribe to the 'This Month in Vulnerabilities and Patches' webinar to stay informed about future Patch Tuesdays.

No zero-day vulnerabilities known to be exploited in the wild were addressed in the April 2024 edition.

Three vulnerabilities in Microsoft Edge (Chromium-based) were patched earlier this month. However, Microsoft products that received security updates in the Patch Tuesday of April 2024 but were not yet fully fixed in that same month are not specifically detailed in the search results available. The results focus mainly on September 2025 updates and general vulnerability management without naming unresolved April 2024 issues.

Security Update Review for Microsoft and Adobe's April 2024 Patch Tuesday, examining essential fixes for vulnerabilities in their systems and applications.