In a remarkable feat, Microsoft has released a mammoth patch update, addressing a record-breaking total of 147 security vulnerabilities in its software, including Windows, Office, Azure, .NET Framework, and more. The April Patch Tuesday release marks the largest update from Microsoft this year and the largest since at least 2017.

Notably, this month's release does not include any known zero-day vulnerabilities that pose an immediate threat to Windows users. However, the sheer volume of fixes underscores the significance of the update. Among the vulnerabilities, only three are classified as "critical," indicating that they can be exploited by malware or malicious actors to gain remote control over unpatched systems without requiring user interaction.

While the number of fixes is staggering, many of the bugs are categorized as having a middling severity. These issues, marked as "important," often involve social engineering tactics and have the potential to bypass system security, compromise data, and even steal critical assets.

Dustin Childs from Trend Micro's Zero Day Initiative (ZDI) emphasized the significance of the release, calling it the largest Patch Tuesday from Microsoft since at least 2017. Childs also noted one particular vulnerability, CVE-2024-29988, which allows attackers to bypass Windows SmartScreen, a security feature designed to protect users from phishing and malware attacks. While Microsoft has not yet classified this vulnerability as actively exploited, ZDI researchers have observed it being used in the wild, and caution should be taken until further clarification from Microsoft.

Additionally, Ben McCarthy, a lead cybersecurity engineer at Immersive Labs, drew attention to two other notable bugs. CVE-2024-20670, an Outlook for Windows spoofing vulnerability, can be easily exploited by convincing users to click on a malicious link in an email, thereby compromising their password hash and allowing authentication in another Microsoft service. Another vulnerability, CVE-2024-29063, involves hard-coded credentials in Azure's search backend infrastructure, potentially exploitable through manipulation of Azure AI search.

It is worth mentioning that this month's update also includes fixes for two dozen vulnerabilities in Windows Secure Boot, with Microsoft considering the majority of them as having a lower likelihood of exploitation. However, history has shown that flaws in Secure Boot can lead to significant consequences, as was the case in May 2023 when an exploited vulnerability was linked to the BlackLotus UEFI bootkit, sold on dark web forums for $5,000. While no such exploits have been observed in the wild for the Secure Boot vulnerabilities addressed in this latest release, they serve as a reminder of the persisting risks associated with Secure Boot.

Microsoft advises users to apply these patches promptly to ensure their systems are protected. For further information and severity indexed advisories, ZDI's blog and the SANS Internet Storm Center's Patch Tuesday post provide additional resources.

In a separate development, Adobe has also released nine patches, addressing multiple vulnerabilities in software such as Adobe After Effects, Photoshop, InDesign, and others. Notably, Adobe has clarified that its apps will not automatically scan documents using artificial intelligence, contrary to earlier suggestions. Users must actively engage with the AI features, accepting terms, opening specific documents, and selecting AI Assistant or generative summary buttons for analysis to occur.

As always, it is recommended to back up data before applying any updates and report any issues experienced during the patching process.