Microsoft gave system administrators a busy February after releasing updates for 73 vulnerabilities, including two zero-day flaws currently being actively exploited.
Yesterday’s February Patch Tuesday update delivered fixes for five critical vulnerabilities and 30 remote code execution (RCE) flaws. However, both zero days were security feature bypass bugs.
The first one, CVE-2024-21412, is related to Internet shortcut files. With a CVSS score of 8.1, it is only considered “important” because it requires user interaction to succeed, according to Mike Walters, president of Action1.
“In the exploit scenario, an attacker must send a specially crafted file to a target user and persuade them to open it, because the attacker cannot force the user to directly interact with the malicious content,” a- he explained.
“Although the vulnerability was not publicly disclosed, it was found to be exploitable. It is crucial that organizations implement official patches and updates released by Microsoft to effectively address this vulnerability.
Learn more about Patch Tuesday: Microsoft fixes 34 CVEs and one Zero-Day in December Patch Tuesday
The second day zero (CVE-2024-21351) involves bypassing the SmartScreen security feature in Microsoft Defender. It is rated as having moderate impact, with a CVSS score of 7.6. Although it is exploited in the wild, there is currently no proof of concept available, according to Walters.
“For this vulnerability, an attacker must distribute a malicious file to a user and persuade them to open it, allowing them to bypass SmartScreen controls and potentially compromise system security,” he added.
It’s time to fix two critical RCE bugs
This month, two critical vulnerabilities are also expected to be on the radar with CVSS scores of 9.8.
CVE-2024-21410 is an elevation of privilege bug that allows malicious actors to perform operations on Microsoft Exchange Server as if they were the victim.
“This flaw allows an unauthenticated, remote attacker to relay Windows NT Lan Manager (NTLM) credentials and impersonate other users on the Exchange server,” explained Qualys product manager, Saeed Abbasi.
“The exploitation process involves targeting an NTLM client, such as Outlook, to leak NTLM credentials via a vulnerability. These credentials can then be relayed to the Exchange server, granting the attacker the same privileges as the victim.
In the meantime, CVE-2024-21413 is a critical RCE vulnerability in Office that allows an attacker to cause a file to be opened in edit mode as if the user had agreed to trust the file. No user interaction is required for operation, which is done through the Outlook preview pane.
“Administrators responsible for Office 2016 installations that apply patches outside of Microsoft Update should note that the advisory lists as many as five separate patches that must be installed to fix CVE-2024-21413,” warned Adam Barnett , senior software engineer at Fast7.
“Individually updated knowledge base articles additional note that partially patched Office installations will not be able to start until the correct combination of patches has been installed.
Image credit: HJBC / Shutterstock.com