Microsoft has released patches to address 73 security flaws spanning its range of software as part of the February 2024 Patch Tuesday updates, including two zero-days that have been the subject of active exploitation.
Of the 73 vulnerabilities, 5 are classified as critical, 65 are classified as important, and three are classified as moderate severity. This is in addition to the 24 flaws that have been fixed in the Chromium-based Edge browser since the release of Patch Tuesday updates on January 24.
The two flaws listed as under active attack at the time of release are below:
- CVE-2024-21351 (CVSS Score: 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2024-21412 (CVSS Score: 8.1) – Internet Link File Security Feature Bypass Vulnerability
“The vulnerability allows an attacker to inject code into SmartScreen and potentially achieve code execution, which could potentially lead to exposure of some data, loss of system availability, or both,” Microsoft said about the CVE-2024-21351.
Successful exploitation of the flaw could allow an attacker to bypass SmartScreen protections and execute arbitrary code. However, for the attack to work, the threat actor must send the user a malicious file and convince them to open it.
CVE-2024-21412 similarly allows an unauthenticated attacker to bypass displayed security controls by sending a specially crafted file to a targeted user.
“However, the attacker would have no way to force a user to view the attacker-controlled content.” Redmond noted. “Instead, the attacker would have to convince them to take action by clicking on the file link.”
CVE-2024-21351 is the second bypass bug discovered in SmartScreen after CVE-2023-36025 (CVSS score: 8.8), which was blocked by the tech giant in November 2023. The flaw has since been exploited by multiple Hacker groups proliferate DarkGate, Phmedrone Stealer and Mispadu.
Trend Micro, which detailed an attack campaign waged by Water Hydra (aka DarkCasino) against financial market traders via a sophisticated zero-day attack chain exploiting CVE-2024-21412, described CVE-2024 -21412 as a bypass for CVE-2023 -36025, thus allowing threat actors to bypass SmartScreen controls.
Water Hydra, first detected in 2021, has a long history of launching attacks against banks, cryptocurrency platforms, trading services, gambling sites and casinos to deliver a trojan called DarkMe using zero-day exploits, including the WinRAR flaw came to light in August 2023 (CVE-2023-38831, CVSS score: 7.8).
Late last year, Chinese cybersecurity firm NSFOCUS classified the group of “economically motivated” hackers as an entirely new Advanced Persistent Threat (APT).
“In January 2024, Water Hydra updated its infection chain by leveraging CVE-2024-21412 to execute a malicious Microsoft Installer (.MSI) file, simplifying the DarkMe infection process,” Trend Micro said.
Both vulnerabilities have since been added to the Known Exploited Vulnerabilities (KEV) catalog by the US Cybersecurity and Infrastructure Security Agency (CISA), urging federal agencies to apply the latest updates by March 5, 2024.
Microsoft has also fixed five critical flaws:
- CVE-2024-20684 (CVSS Score: 6.5) – Windows Hyper-V Denial of Service Vulnerability
- CVE-2024-21357 (CVSS Score: 7.5) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
- CVE-2024-21380 (CVSS Score: 8.0) – Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
- CVE-2024-21410 (CVSS Score: 9.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2024-21413 (CVSS Score: 9.8) – Microsoft Outlook Remote Code Execution Vulnerability
“CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server,” Satnam Narang, senior research engineer at Tenable, said in a statement. “Microsoft says this flaw is more likely to be exploited by attackers.”
“Exploitation of this vulnerability could result in disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash, which could be relayed to a vulnerable Exchange server in an NTLM Relay or pass-the-attack attack. -hash, which could allow the attacker to authenticate as the targeted user.”
The security update also resolves 15 remote code execution flaws in the Microsoft WDAC OLE DB Provider for SQL Server that an attacker could exploit by tricking an authenticated user into attempting to connect to a malicious SQL Server via OLEDB.
Rounding out the patch is a fix for CVE-2023-50387 (CVSS score: 7.5), a 24-year-old design flaw in the DNSSEC specification that can be abused to exhaust CPU resources and crash resolvers DNS, resulting in denial-of-service (DoS).
The vulnerability was named KeyTrap by the National Research Center for Applied Cyber Security (ATHENE) in Darmstadt.
“[The researchers] demonstrated that even with just a single DNS packet the attack can exhaust the CPU and crash all widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare,” ATHENE said. “Indeed, the popular DNS implementation BIND 9 can be blocked for up to 16 hours.”
Software patches from other vendors
In addition to Microsoft, security updates from other vendors have also been released in recent weeks to fix several vulnerabilities, including: