Microsoft's February (2024) Patch Update Tuesday: Tackling 2 Zero-Day Vulnerabilities and 73 Flaws
It's crucial for administrators to prioritize the swift deployment of a critical vulnerability patch for Microsoft Outlook. Additionally, when it comes to implementing a cumulative update for Exchange Server 2019, exercising caution is paramount. Rushing through the process could inadvertently lead to unforeseen issues or vulnerabilities. Therefore, taking the time to carefully assess and execute the update is essential to maintaining the security and stability of the system.
For administrators overseeing their organization's Windows systems, it's imperative to prioritize the fixes released during February's Patch Tuesday. Microsoft has swiftly addressed two zero-day vulnerabilities impacting both server and desktop machines, underscoring the urgency of applying these updates. This month's patch batch tackles a total of 73 new vulnerabilities, including five critical ones, alongside updates for seven older bugs. Alongside the zero-days, admins should expedite the deployment of patches addressing a critical flaw in Exchange Server and a Microsoft Outlook bug. Additionally, it's crucial to implement mitigations for an older Windows AppX installer spoofing vulnerability to bolster overall system security.
Two Windows zero-days top the patching priority list:
Windows Cumulative Update to Address Active Exploits and Critical Vulnerabilities
The upcoming cumulative update for Windows is set to tackle the majority of this month's vulnerabilities, notably including two actively exploited flaws.
The first zero-day, CVE-2024-21412, highlights an Internet Shortcut Files security feature bypass vulnerability rated important, with a CVSS score of 8.1. This vulnerability impacts both Windows desktop and server systems. Exploitation involves an unauthenticated attacker sending a malicious shortcut file to a user, who then unwittingly triggers the exploit upon opening the file, bypassing system security checks in the process.
The second zero-day, CVE-2024-21351, targets a Windows SmartScreen security feature bypass vulnerability rated moderate, with a CVSS score of 7.6. This flaw affects both Windows server and desktop systems. To exploit it, an attacker must persuade a user to open a malicious file, enabling them to bypass the Mark of the Web zone identifier and evade SmartScreen protections within Microsoft Defender.
Chris Goettl, vice president of product management for security products at Ivanti, emphasizes the critical nature of these vulnerabilities, particularly CVE-2024-21351, which was actively exploited prior to the release of Patch Tuesday security updates. Goettl notes that the static severity assessments fail to account for the real-world impact of reported attacks on Microsoft systems.
Critical Exchange Server Vulnerability Addressed by Microsoft Patch Release
Exchange Server, the cornerstone of on-premises email and calendar systems, finds itself in the spotlight once again due to a critical elevation-of-privilege vulnerability (CVE-2024-21410) affecting Exchange 2016 and Exchange 2019 systems.
This CVE stands out on February's Patch Tuesday with a significant exploitability rating, boasting a CVSS score of 9.8. If successfully exploited, the vulnerability grants attackers system-level privileges.
According to insights from Goettl, implementing NTLM credential relay protections can mitigate a substantial portion of the risk associated with this vulnerability. However, Microsoft stresses that while this measure reduces risk, it does not guarantee immunity from exploitation.
Microsoft has rolled out a cumulative update (CU) specifically for Exchange 2019 to address this issue. However, Exchange 2016 users won't receive a CU. Instead, the Exchange Team blog suggests mitigating the vulnerability by enabling Extended Protection.
It's worth noting that installing CU14 for Exchange Server 2019 automatically activates Extended Protection. However, Microsoft warns administrators to ensure their systems are prepared for this feature, as mismatches in TLS configurations or SSL offloading could potentially disrupt functionality post-installation.
Older Windows vulnerability continues to resurface:
The recurring emergence of an older Windows vulnerability resurfaced during February's Patch Tuesday, as Microsoft addressed a Windows AppX installer spoofing vulnerability (CVE-2021-43890) initially disclosed in December 2021. This vulnerability, rated as important, enables attackers to embed malware into an attachment, persuading users to open it and trigger the exploit, thereby bypassing security measures and executing code on the system.
According to insights from Goettl, exploiting such vulnerabilities often relies more on social engineering tactics than technical prowess, leveraging statistics rather than inherent challenges. With the increasing sophistication of threat actors, aided by generative AI, such exploits are becoming more accessible over time.
Unlike components covered by the cumulative update model, the AppX installer requires separate attention for patching. Failure to update this system component could leave organizations vulnerable to exploitation. Microsoft has issued three informational updates for this CVE since December 7, 2023, providing additional guidance to safeguard Windows systems. Admins are advised to install the latest AppX installer version, which disables the ms-appinstaller URI scheme handler, or alternatively, to disable the ms-appinstaller protocol for organizations unable to transition to the latest version.
Noteworthy Security Updates in February's Patch Tuesday Rollout:
Among the notable security updates for February's Patch Tuesday:
1. A critical remote-code execution vulnerability (CVE-2024-21413) in Microsoft Outlook, boasting a CVSS score of 9.8. Attackers can exploit the Outlook preview pane as an entry point, bypassing system protections through malicious links. This could potentially grant them access to NTLM credential information on the compromised system.
2. Another critical vulnerability (CVE-2024-21357) affecting Windows Pragmatic General Multicast, scoring 7.5 on the CVSS scale. This vulnerability raises concerns due to its ability to target a broad network segment, including adjacent segments, without requiring authentication. Attackers can then move laterally across the environment with minimal effort.
3. A critical Denial-of-Service (DoS) vulnerability (CVE-2024-20684) impacting Windows 11 and Windows Server 2022 systems within the Hyper-V environment, scoring 6.5 on the CVSS scale. Exploiting this flaw enables attackers to disrupt the capabilities of the Hyper-V host.
Recent updates from other companies:
Here's the latest roundup of updates from different companies in February 2023:
• Adobe has pushed out security updates covering Commerce, Substance 3D Painter, Acrobat, and Reader, among other products.
• Cisco has addressed security concerns across several products with its recent updates.
• ExpressVPN has released a new version, removing the split-tunneling feature following a DNS query leak.
• Fortinet has responded to attacks exploiting a new FortiOS SSL VPN RCE and has disclosed two RCE flaws in FortiSIEM through security updates.
• Google has delivered the Android February 2024 security updates.
• Ivanti has released security updates to address a new Connect Secure authentication bypass flaw.
• JetBrains has issued security updates to tackle a critical authentication bypass vulnerability in TeamCity On-Premises.
• Various Linux distributions have patched a new Shim bootloader code execution flaw.
• Mastodon has issued a security update to fix a vulnerability that could allow attackers to take over remote accounts.
SAP has rolled out its February 2024 Patch Day updates.
The February 2024 Patch Tuesday Security Updates:
Check out the breakdown of vulnerabilities tackled in the February 2024 Patch Tuesday updates. If you're seeking in-depth information on each vulnerability, including its description and the systems it impacts, delve into the detailed report available here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET | CVE-2024-21386 | .NET Denial of Service Vulnerability | Important |
| .NET | CVE-2024-21404 | .NET Denial of Service Vulnerability | Important |
| Azure Active Directory | CVE-2024-21401 | Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability | Important |
| Azure Active Directory | CVE-2024-21381 | Microsoft Azure Active Directory B2C Spoofing Vulnerability | Important |
| Azure Connected Machine Agent | CVE-2024-21329 | Azure Connected Machine Agent Elevation of Privilege Vulnerability | Important |
| Azure DevOps | CVE-2024-20667 | Azure DevOps Server Remote Code Execution Vulnerability | Important |
| Azure File Sync | CVE-2024-21397 | Microsoft Azure File Sync Elevation of Privilege Vulnerability | Important |
| Azure Site Recovery | CVE-2024-21364 | Microsoft Azure Site Recovery Elevation of Privilege Vulnerability | Moderate |
| Azure Stack | CVE-2024-20679 | Azure Stack Hub Spoofing Vulnerability | Important |
| Internet Shortcut Files | CVE-2024-21412 | Internet Shortcut Files Security Feature Bypass Vulnerability | Important |
| Mariner | CVE-2024-21626 | Unknown | Unknown |
| Microsoft ActiveX | CVE-2024-21349 | Microsoft ActiveX Data Objects Remote Code Execution Vulnerability | Important |
| Microsoft Azure Kubernetes Service | CVE-2024-21403 | Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability | Important |
| Microsoft Azure Kubernetes Service | CVE-2024-21376 | Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability | Important |
| Microsoft Defender for Endpoint | CVE-2024-21315 | Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability | Important |
| Microsoft Dynamics | CVE-2024-21393 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2024-21389 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2024-21395 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2024-21380 | Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability | Critical |
| Microsoft Dynamics | CVE-2024-21328 | Dynamics 365 Sales Spoofing Vulnerability | Important |
| Microsoft Dynamics | CVE-2024-21394 | Dynamics 365 Field Service Spoofing Vulnerability | Important |
| Microsoft Dynamics | CVE-2024-21396 | Dynamics 365 Sales Spoofing Vulnerability | Important |
| Microsoft Dynamics | CVE-2024-21327 | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2024-1284 | Chromium: CVE-2024-1284 Use after free in Mojo | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2024-21399 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Moderate |
| Microsoft Edge (Chromium-based) | CVE-2024-1060 | Chromium: CVE-2024-1060 Use after free in Canvas | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2024-1077 | Chromium: CVE-2024-1077 Use after free in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2024-1283 | Chromium: CVE-2024-1283 Heap buffer overflow in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2024-1059 | Chromium: CVE-2024-1059 Use after free in WebRTC | Unknown |
| Microsoft Exchange Server | CVE-2024-21410 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Critical |
| Microsoft Office | CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2024-20673 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office OneNote | CVE-2024-21384 | Microsoft Office OneNote Remote Code Execution Vulnerability | Important |
| Microsoft Office Outlook | CVE-2024-21378 | Microsoft Outlook Remote Code Execution Vulnerability | Important |
| Microsoft Office Outlook | CVE-2024-21402 | Microsoft Outlook Elevation of Privilege Vulnerability | Important |
| Microsoft Office Word | CVE-2024-21379 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Teams for Android | CVE-2024-21374 | Microsoft Teams for Android Information Disclosure | Important |
| Microsoft WDAC ODBC Driver | CVE-2024-21353 | Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21370 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21350 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21368 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21359 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21365 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21367 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21420 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21366 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21369 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21375 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21361 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21358 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21391 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21360 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft WDAC OLE DB provider for SQL | CVE-2024-21352 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft Windows | CVE-2024-21406 | Windows Printing Service Spoofing Vulnerability | Important |
| Microsoft Windows DNS | CVE-2024-21377 | Windows DNS Information Disclosure Vulnerability | Important |
| Role: DNS Server | CVE-2023-50387 | MITRE: CVE-2023-50387 DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers | Important |
| Role: DNS Server | CVE-2024-21342 | Windows DNS Client Denial of Service Vulnerability | Important |
| Skype for Business | CVE-2024-20695 | Skype for Business Information Disclosure Vulnerability | Important |
| SQL Server | CVE-2024-21347 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important |
| Trusted Compute Base | CVE-2024-21304 | Trusted Compute Base Elevation of Privilege Vulnerability | Important |
| Windows Hyper-V | CVE-2024-20684 | Windows Hyper-V Denial of Service Vulnerability | Critical |
| Windows Internet Connection Sharing (ICS) | CVE-2024-21343 | Windows Network Address Translation (NAT) Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2024-21348 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2024-21357 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical |
| Windows Internet Connection Sharing (ICS) | CVE-2024-21344 | Windows Network Address Translation (NAT) Denial of Service Vulnerability | Important |
| Windows Kernel | CVE-2024-21371 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2024-21338 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2024-21341 | Windows Kernel Remote Code Execution Vulnerability | Important |
| Windows Kernel | CVE-2024-21345 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2024-21362 | Windows Kernel Security Feature Bypass Vulnerability | Important |
| Windows Kernel | CVE-2024-21340 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows LDAP - Lightweight Directory Access Protocol | CVE-2024-21356 | Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability | Important |
| Windows Message Queuing | CVE-2024-21363 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | Important |
| Windows Message Queuing | CVE-2024-21355 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability | Important |
| Windows Message Queuing | CVE-2024-21405 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability | Important |
| Windows Message Queuing | CVE-2024-21354 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability | Important |
| Windows OLE | CVE-2024-21372 | Windows OLE Remote Code Execution Vulnerability | Important |
| Windows SmartScreen | CVE-2024-21351 | Windows SmartScreen Security Feature Bypass Vulnerability | Moderate |
| Windows USB Serial Driver | CVE-2024-21339 | Windows USB Generic Parent Driver Remote Code Execution Vulnerability | Important |
| Windows Win32K - ICOMP | CVE-2024-21346 | Win32k Elevation of Privilege Vulnerability | Important |
Tags:
Microsoft
 Patch Update Tuesday: Tackling 2 Zero-Day Vulnerabilities and 73 Flaws){kind=link}