Microsoft Fixes Two Zero-Days in February Patch Tuesday

Written by

Microsoft has landed system administrators with a busy February after releasing updates for 73 vulnerabilities, including two zero-day flaws currently under active exploitation.

February’s Patch Tuesday update round yesterday saw fixes for five critical vulnerabilities and 30 remote code execution (RCE) flaws. However, both zero-days were security feature bypass bugs.

The first, CVE-2024-21412, is related to Internet Shortcut Files. With a CVSS score of 8.1, it is only rated as “important” as it requires user interaction to be successful, according to Mike Walters, president of Action1.

“In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly,” he explained.

“Despite the vulnerability not being publicly disclosed, it has been found to be exploitable. It is crucial organizations to implement the official patches and updates released by Microsoft to address this vulnerability effectively.”

Read more on Patch Tuesday: Microsoft Fixes 34 CVEs and One Zero-Day in December Patch Tuesday

The second zero-day (CVE-2024-21351) involves bypassing the SmartScreen security feature in Microsoft Defender. It is rated as having a moderate impact, with a CVSS score of 7.6. Although it’s being exploited in the wild, there’s currently no proof-of-concept available, according to Walters.

“For this vulnerability, an attacker must distribute a malicious file to a user and persuade them to open it, allowing them to circumvent the SmartScreen checks and potentially compromise the system’s security,” he added.

Time to Patch Two Critical RCE Bugs

Also on the radar this month should be two critical vulnerabilities with CVSS scores of 9.8.

CVE-2024-21410 is an elevation of privilege bug enabling threat actors to carry out operations on Microsoft Exchange Server as if they were the victim.

“This flaw allows a remote, unauthenticated attacker to relay NTLM (Windows NT Lan Manager) credentials and impersonate other users on the Exchange server,” explained Qualys product manager, Saeed Abbasi.

“The exploitation process involves targeting an NTLM client, such as Outlook, to leak NTLM credentials through a vulnerability. These credentials can then be relayed back to the Exchange server, granting the attacker the same privileges as the victim.”

Meanwhile, CVE-2024-21413 is a critical RCE vulnerability in Office that allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file. No user interaction is required for exploitation, which occurs via the Outlook Preview Pane.

“Administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note that the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413,” warned Adam Barnett, lead software engineer at Rapid7.

“Individual update KB articles further note that partially patched Office installations will be blocked from starting until the correct combination of patches has been installed.”

Image credit: HJBC / Shutterstock.com

What’s hot on Infosecurity Magazine?