Microsoft patched 73 CVEs in its February 2024 Patch Tuesday release

Microsoft patched 73 CVEs in its February 2024 Patch Tuesday release including two zero-day vulnerabilities exploited in the wild.

CVE-2024-21351 is a security feature bypass vulnerability in Windows SmartScreen. It was exploited in the wild as a zero-day, though we don’t have any specific insights into in-the-wild exploitation. What we know is that exploitation requires an attacker to use social engineering to convince a potential victim to open a malicious file. This is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.

CVE-2024-21412 is a security feature bypass vulnerability in Internet Shortcut Files and it was also exploited in the wild as a zero-day. Like CVE-2024-21351, exploitation of this flaw requires an attacker to use social engineering to convince their intended target to open a malicious shortcut file. Specific details around this vulnerability weren’t available at the time Patch Tuesday was released, but it is credited to several researchers, so it’s possible details may emerge soon enough about the in-the-wild exploitation.

CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server. This flaw is more likely to be exploited by attackers according to Microsoft. Exploiting this vulnerability could result in the disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash, which could be relayed back to a vulnerable Exchange Server in an NTLM relay or pass-the-hash attack, which would allow the attacker to authenticate as the targeted user.

We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers. A Russian-based threat actor leveraged a similar vulnerability to carry out attacks – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.

Satnam Narang, Senior Staff Research Engineer, Tenable said, It is extremely important that organizations that use Microsoft Exchange Server apply the latest patches as they are a frequent target by attackers. Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14 (CU14), a security feature called Extended Protection for Authentication (EPA), which provides NTLM credential relay protections, was not enabled by default. Going forward, CU14 enables this by default on Exchange servers, which is why it is important to upgrade.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here