Microsoft has rolled out patches today to address over 50 security vulnerabilities in Windows and associated software, presenting a relatively moderate Patch Tuesday for Windows users this month. The tech giant has also taken heed of the negative feedback regarding a new feature in Redmond’s core operating system, which continually captures snapshots of users’ activities on their PCs, announcing that it will no longer be activated by default.
In the prior month, Microsoft introduced Copilot+ PCs, an AI-enhanced version of Windows. Among its features is one that users did not request, given the moniker Recall, which takes continuous screenshots of user activities on their PC. Security specialists heavily criticized Recall as a sophisticated keylogger, highlighting its potential as a trove of sensitive data for attackers in case the user’s PC fell victim to malware compromises.
Despite Microsoft’s assurance that Recall snapshots stay confined within the user’s system and inaccessible to attackers in case of a Copilot+ PC breach, former Microsoft threat analyst Kevin Beaumont elaborated on his blog how any user on the system, even a non-administrative one, could export Recall data, which is locally stored in an SQLite database.
Calling it as “the most reckless cybersecurity decision in a decade,” Beaumont expressed on Mastodon.
On a recent Risky Business podcast, host Patrick Gray pointed out that the screenshots generated and cataloged by Recall could prove invaluable to attackers suddenly finding themselves in an unfamiliar system.
“When you infiltrate a device with ill intentions, understanding the user’s workflow becomes pivotal,” Gray analyzed. “A prime example is the SWIFT attacks on central banks years ago. Attackers had to capture screen recordings to grasp the intricacies of fund transfers. This feature could expedite such reconnaissance efforts.”
Addressing the intense backlash against Recall, Microsoft announced last week that on Copilot+ PCs, Recall will no longer activate by default.
Among the patches unveiled today, only one — CVE-2004-30080 — scored Microsoft’s top “critical” rating, implying that malicious entities could exploit the flaw remotely to gain control over a user’s system without requiring any interaction from the user.
The vulnerability in Microsoft Message Queuing (MSMQ) service, known as CVE-2024-30080, facilitates remote code execution. Microsoft cautions that exploitation is highly probable, urging users to deactivate the vulnerable component if immediate updating is not feasible. This flaw has garnered a CVSS vulnerability score of 9.8 (with 10 denoting the highest severity).
Kevin Breen, senior director of threat research at Immersive Labs, pointed out that the silver lining lies in MSMQ not being a default Windows service.
“A Shodan search for MSMQ illustrates that several thousand potentially internet-exposed MSSQ servers could be susceptible to zero-day breaches if not rapidly patched,” Breen emphasized.
CVE-2024-30078 constitutes a remote code execution flaw in the Windows WiFi Driver, also boasting a CVSS score of 9.8. As per Microsoft, an unauthorized attacker could exploit this bug by sending a malicious data packet to any other entity sharing the same network — necessitating the attacker’s presence on the local network.
Moreover, Microsoft has rectified several critical security issues in its suite of Office applications, including at least two remote-code execution vulnerabilities, as highlighted by Adam Barnett, lead software engineer at Rapid7.
“CVE-2024-30101 manifests as a vulnerability in Outlook; while the Preview Pane serves as an entry point, the user must subsequently execute specified actions to trigger the vulnerability, contingent on a race condition,” Barnett explained. “Though CVE-2024-30104 does not rely on the Preview Pane, its slightly elevated CVSS base score of 7.8 results from an attacker requiring the user to open a malevolent file.”
On a separate note, Adobe issued security updates for Acrobat, ColdFusion, and Photoshop, amongst others.
Per the usual practice, the SANS Internet Storm Center provides detailed information on the individual patches released today, categorized by severity, exploitability, and urgency. Additionally, Windows administrators should monitor AskWoody.com, which often presents early insights into any problematic Windows patches.
About Author
