April 2024 Ivanti Patch Tuesday

It is April already! For the fourth Patch Tuesday of 2024 there is more to consider than just what is being released on Patch Tuesday. There are a number of vendors who have released security updates leading up to Patch Tuesday, and more to come in the following weeks.

Recent Security Updates

  • Ivanti released security updates for Ivanti Connect Secure and Policy Secure on April 4. The updates resolve four CVEs. For more information on updates, see the blog update and security advisory.  
  • Apple has released a number of security updates for visionOS, iOS, iPadOS, macOS and Safari between March 21 and 25. For more details see Apple’s Security Releases page
  • Microsoft released an out-of-band fix for customers who were seeing memory leak issues on Domain Controllers after the March OS updates. The fix resolves an issue with Kerberos requests on domain controllers potentially causing LSASS memory leaks resulting in unplanned reboots of DCs. The issue was resolved in KB5037422
  • Google Chrome and Microsoft Edge (Chromium) released on April 4, resolving three and five CVEs, respectively.  
  • Splunk released security updates on March 29 for Splunk Universal Forwarder, resolving two CVEs. 
  • Autodesk released updates for AutoCAD on March 28, resolving up to 44 CVEs depending on the version you are running.  

This is just a few of the security updates released by vendors in the past two weeks. Looking to the next week or two, here are additional updates you can expect. 

Upcoming Security Updates 

  • Oracle Quarterly CPU will be released on April 16. The release of Java will trigger a number of additional updates.  
  • Expect updates from Java frameworks like RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and others after the Oracle CPU. 
  • Google Chrome, Microsoft Edge (Chromium), Mozilla Firefox and other browsers can expect to receive security updates weekly in most cases (Chrome and Edge), and two to three times a month in other cases.  

This continuous cadence of updates is driving many organizations to rethink their regular monthly patch management cadence. A continuous patch management strategy is being adopted to attempt to better manage the constant influx of new vulnerabilities into environments. Adopting a three-patch window model to keep up with the continuous introduction of vulnerabilities is a rising trend.  

  • Regular Maintenance: Typically starting on Patch Tuesday and running for 14 days for most organizations but could run as long as three to six weeks depending on the specific challenges of an organization.  
  • Weekly Priority Updates: Google Chrome stated in an update in August 2023 that they would be releasing a security update for Chrome every week. This means Edge as well. Firefox has three updates a month on average, as well. This trend alone has driven many organizations to have a priority update occur for end-user systems on a weekly basis; servers would typically not be included in this window. 
  • Zero Day Response: Not to be confused with Out-of-band, the Zero Day Response window is being implemented by organizations looking to reduce exposure time for known exploited vulnerabilities in 48 hours or less. This has less red tape than the traditional OoB approach: Fewer special approvals are needed, and there is more focus on communications and setting expectations that it can occur as needed/prescribed by stakeholders.  

Microsoft April Patch Tuesday Release 

Microsoft has resolved 150 new CVEs and one updated CVE for the April Patch Tuesday release. The updates impact the Windows OS, Office, Sharepoint, SQL Server, .Net, Visual Studio, Defender, Edge and Azure (multiple components). There is one Zero-day vulnerability in the OS update this month: CVE-2024-26234 resolves a Proxy Driver Spoofing vulnerability. Only three of the new CVEs were rated as Critical, and all three were in Defender for IoT. No new CVEs include disclosed or exploited tags this month. The recently updated CVE (CVE-2023-24932) was the only CVE to include exploited or disclosed tags.  

Microsoft resolved a Proxy Driver Spoofing Vulnerability (CVE-2024-26234) in the Windows OS that has been exploited in the wild. The vulnerability received a last-minute update shortly after its initial publishing on Patch Tuesday. The CVE is only rated as Important and has a CVSS v3.1 of 6.7 so could be easily missed by traditional methods of prioritization.  

Microsoft updated CVE-2023-24932, a vulnerability in Secure Boot that could allow an attacker to bypass security features. The update “added Windows 11 version 23H2 for x64-based systems and Windows 11 version 23H2 for ARM-based systems because the April 2024 security updates provide the latest mitigations.” 

Third-Party Patch Tuesday Releases  

  • Adobe released nine Priority 3 updates affecting Adobe After Effects, Photoshop, Commerce, InDesign, Experience, Media Encoder, Bridge, Illustrator and Animate.  
  • Google Chrome is expected to release security updates later in the day – on or just after Patch Tuesday.  

Patch Tuesday Priority Guidance 

  • The Windows OS update includes a Zero-day that has been publicly disclosed (CVE-2024-26234). This puts the OS update this month to the top of your priority list! 
  • Review your organization’s response to the Secure Boot Security Feature Bypass (CVE-2023-24932) to ensure the newly added OS versions and previous versions are fully mitigated (additional steps outlined in KB5025885).  
  • SQL Server updates this month resolved 38 unique CVEs. SQL updates can lag normal maintenance in some environments. With this many CVEs, it would be best to not delay this update for too long.  
  • There were nine Azure CVEs this month in nine different Azure components. Many of these updates will have steps to follow to apply the prescribed updates. Ensure your DevOps teams have the list of CVEs and are investigating soon, as some of the updates may take some planning.