Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild.

Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update is aside from 21 vulnerabilities that the company addressed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.

The two shortcomings that have come under active exploitation are below -

• CVE-2024-26234 (CVSS score: 6.7) - Proxy Driver Spoofing Vulnerability
• CVE-2024-29988 (CVSS score: 8.8) - SmartScreen Prompt Security Feature Bypass Vulnerability

While Microsoft's own advisory provides no information about CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a malicious executable ("Catalog.exe" or "Catalog Authentication Client Service") that's signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate.

Authenticode analysis of the binary has revealed the original requesting publisher to Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.

The latter is described as "a marketing software ... [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting."

Present within the purported authentication service is a component called 3proxy that's designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.

"We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application," Sophos researcher Andreas Klopsch said.

The cybersecurity company also said it discovered multiple other variants of the backdoor in the wild going all the way back to January 5, 2023, indicating that the campaign has been underway at least since then. Microsoft has since added the relevant files to its revocation list.