Microsoft's Patch Tuesday fixes two actively exploited vulnerabilities
73 bugs fixed in February update
Microsoft's February 2024 Patch Tuesday update includes fixes for 73 vulnerabilities, including two that are actively exploited in the wild and several critical flaws.
The two critical vulnerabilities that are being actively exploited are a Windows SmartScreen security feature bypass bug (CVE-2024-21351, CVSS score 7.6) and an Internet Shortcut files security feature bypass flaw (CVE-2024-21412, CVSS score 6.8).
"CVE-2024-21351 allows attackers to bypass Windows SmartScreen security, undermining a crucial defence against malware and phishing," said Saeed Abbasi, product manager at security firm Qualys. "CVE-2024-21412 represents a sophisticated zero-day flaw in SmartScreen that is already being exploited."
Adam Barnett, lead software engineer at vendor Rapid7, emphasised the risk: "Both CVE-2024-21351 and CVE-2024-21412 are already included on the CISA Known Exploited Vulnerability list. Microsoft has seen evidence of exploitation in the wild for both."
Patching these two vulnerabilities that allow bypassing SmartScreen warnings should be a priority to prevent further exploitation.
Security teams should also prioritise patching CVE-2024-21413, a critical (CVSS score 9.8) remote code execution vulnerability in Microsoft Outlook that allows bypassing Protected View and opening files in editing mode without user interaction.
"The Outlook Preview Pane is an attack vector, and no user interaction is required," commented Barnett.
IT teams must ensure comprehensive patching across all Microsoft Office components to fully remediate CVE-2024-21413, he went on.
"Administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note that the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413"
Rob Reeves, principal cyber security engineer at vendor Immersive Labs added: "CVE-2024-21413 could be chained together with another vulnerability being patched this month affecting Microsoft Word (CVE-2024-21379) which also allows for code execution, possibly without the use of Macro's, meaning that once the document is open without the use of protected mode, no further clicks or actions are required from the target user."
Also patched this month is CVE-2024-21410 (CVSS 9.8), a critical elevation of privilege vulnerability in Microsoft Exchange Server.
"This flaw allows a remote, unauthenticated attacker to relay Windows NT Lan Manager credentials and impersonate other users on the Exchange Server," said Abassi. This could enable more convincing email compromise attacks.
Microsoft also patched several privilege escalation flaws in the Windows kernel which scored low on CVSS but should not be overlooked. "These vulnerabilities are highly sought after by threat actors," Kev Breen, senior director at Immersive Labs, advised.
Microsoft has an update KB5034765/KB5034763 for Windows 10 and 11 to patch several issues, including many in the Patch Tuesday update, as well as fixing some problems with the start Menu. The update is mandatory for Windows 11.