Microsoft issues patches for 73 CVEs including two zero-days

Wednesday, 14 February 2024 09:49

Microsoft issues patches for 73 CVEs including two zero-days Featured

Pixabay

Microsoft has released fixes for vulnerabilities detailed in 73 CVEs, including two zero-days being exploited in the wild on Patch Tuesday.

The releases, on 13 February, also included patches for critical remote code execution flaws and a critical elevation of privilege in Exchange.

Adam Barnett, lead software engineer at security outfit Rapid 7, said six browser flaws had been notified separately during the month.

Regarding the Patch Tuesday announcement, he said: "CVE-2024-21351 describes a security feature bypass vulnerability in Windows SmartScreen. Microsoft has already seen evidence of exploitation in the wild. Successful exploitation requires that the attacker convince the user to open a malicious file.

"Successful exploitation bypasses the SmartScreen user experience and potentially allows code injection into SmartScreen to achieve remote code execution. Of interest: other critical SmartScreen bypass vulnerabilities from the past couple of years (e.g. CVE-2023-36025 from November 2023) have not included language describing code injection into SmartScreen itself, focusing instead on the security feature bypass only. Microsoft’s own researchers reported both CVE-2024-21351 and CVE-2023-36025."

Barnett said Microsoft Office typically shielded users from a variety of attacks by opening files with Mark of the Web in Protected View, which meant Office would render the document without fetching potentially malicious external resources.

"CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file," he said. "The Outlook Preview Pane is listed as an attack vector, and no user interaction is required.

"Microsoft assesses this vulnerability as a critical CVSSv3 base score of 9.8, as well as critical under their own proprietary severity ranking scale. Administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note that the advisory lists no fewer than five separate patches which must be installed to achieve remediation; individual update KB articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed."

Another CVE patched in February was CVE-2024-21357. Barnett said this was a flaw in Windows Pragmatic General Multicast.

"Although the CVSSv3 base score is a relatively mild 7.5 thanks to the high attack complexity and the same-subnet limitation of the attack, Microsoft rates this vulnerability as critical under its own proprietary severity scale," he elaborated.

"A discrepancy between the two severity ranking systems is always worth noting. A further clue that Microsoft considers this vulnerability particularly serious: patches are available for Windows Server 2008, which is now completely end of life. The advisory is light on detail when it comes to exploitation methods; other recent critical RCE vulnerabilities in Windows PGM have involved Microsoft Message Queuing Service."

Barnett said while Exchange admins had enjoyed a rare two-month break from patching, February saw the publication of CVE-2024-21410, a critical elevation of privilege vulnerability in Exchange.

"Microsoft explains that an attacker could use NTLM credentials previously acquired via another means to act as the victim on the Exchange server using an NTLM relay attack," he explained.

"One possible avenue for that credential acquisition: an NTLM credential-leaking vulnerability in Outlook such as CVE-2023-36761, which Rapid7 wrote about back in September 2023.

"Compounding the concern for defenders: Exchange 2016 is listed as affected, but no patch is yet listed on the CVE-2024-21410 advisory. Exchange 2019 patches are available for CU13 and the newly minted CU14 series.

"According to Microsoft, Exchange installations where Extended Protection for Authentication is already enabled are protected, although Microsoft strongly recommends installing the latest Cumulative Update.

"Further resources are provided in the advisory, including Microsoft’s generic guidance on mitigating Pass the Hash-style attacks, as well as Microsoft’s Exchange Server Health Checker script, which includes an overview of EPA status. The Exchange 2019 CU14 update series enables EPA by default."

Mike Walters, president and co-founder of risk-based patch management software vendor Action1, said another flaw patched in February was a newly discovered zero-day vulnerability in Microsoft Windows 10 and later, as well as Microsoft Windows Server 2008 and later.

"This involves a Security Feature Bypass related to Internet Shortcut Files, identified as CVE-2024-21412. This vulnerability holds an 'important' impact rating, with a severity score of 8.1 on the CVSS scale," he noted. "Characterised by low complexity, it does not demand any special privileges to exploit but does require user interaction to be successful.

"In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly.

"Despite the vulnerability not being publicly disclosed, it has been found to be exploitable. It is crucial organizations to implement the official patches and updates released by Microsoft to address this vulnerability effectively.

Read 36 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

ELASTICON SYDNEY 2024 LATEST ADVANCEMENTS IN GENERATIVE AI

On 20 February, keynote addresses from NAB, Canva, AWS, and Google Cloud, among others, will feature at ElasticON Sydney 2024.

This event will explore the latest advancements in generative AI

The one-day conference, hosted by leading search analytics company Elastic, will include networking drinks, hands-on labs, technical sessions and a stellar line-up of keynote speakers from finance, technology, and government e=sectors.

ElasticON Sydney 2024 promises to be an enriching experience with a comprehensive exploration of the latest developments in security, observability, generative AI and their real world applications

Don't miss out on this opportunity to network and find answers for what's next from your industry peers and leaders

Register for ElasticON Sydney 2024

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!