Breaking Down the Latest February 2024 Patch Tuesday Report

Microsoft has released its February Patch Tuesday security updates, addressing 73 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This includes fixes for two zero-day vulnerabilities that are being actively exploited in the wild.

The two zero-days are a Windows SmartScreen bypass (CVE-2024-21351) and an Internet Shortcut files bypass (CVE-2024-21412). Both allow attackers to evade security warnings and potentially execute malicious code.

Other critical flaws include a remote code execution bug in Exchange Server (CVE-2024-21410) and Outlook (CVE-2024-21413), an information disclosure issue in Dynamics Business Central (CVE-2024-21380), and denial of service bugs in Windows Hyper-V (CVE-2024-20684) and Windows PGM (CVE-2024-21357).

In total, Microsoft addressed 5 critical vulnerabilities and 68 important ones. The most common issues are remote code execution (31 bugs), elevation of privilege (16 bugs), and spoofing (10 bugs).

Key products receiving security updates include Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, and Microsoft Edge. Administrators should prioritize testing and deploying patches for the actively exploited zero-days and remote code execution flaws.

Additional steps may be required to fully remediate some vulnerabilities, such as enabling Extended Protection for Authentication in Exchange Server. Overall, applying these critical monthly security updates helps harden environments against emerging threats.

Update for Windows 11 users: Microsoft has published KB5034765 for Windows 11. Visit this page to learn what is there in the KB5034765 update.

Update for Windows 10 users: Microsoft has published KB5034763 for Windows 10. Visit this page to learn what is there in the KB5034763 update.

Key Highlights - Patch Tuesday February 2024

Microsoft's February 2024 Patch Tuesday addressed 73 vulnerabilities, including two actively exploited zero-days: CVE-2024-21351 (Windows SmartScreen bypass) and CVE-2024-21412 (Internet Shortcut files bypass).

Key highlights are:

Administrators should prioritize testing and deployment of patches, focusing on the actively exploited zero-days and remote code executions. These February updates continue to secure Microsoft's ecosystem against emerging threats.

Zero-day Vulnerabilities Patched in February 2024

Two 0-days patches released in February 2024 report are:

CVE-2024-21412 - Internet Shortcut Files Security Feature Bypass Vulnerability

This vulnerability allows an unauthenticated attacker to bypass the security warning dialogs typically displayed when a user opens an Internet Shortcut (.url) file from an untrusted source.

Successful exploitation requires the attacker to convince the user to open a specially crafted malicious .url file. This could be done via social engineering through email, messaging apps, forums, etc. Once opened, the file would bypass the warnings about potentially malicious content from the internet, enabling further attacks.

The CVSS v3 base score is 8.1 out of 10, indicating a vulnerability that is "high" severity. However, Microsoft rates this as "Important" rather than "Critical" in their own severity scale, likely because it requires user interaction to exploit.

The fact that Microsoft observed active exploitation of this zero-day vulnerability before a patch was issued underscores the urgency of applying the fix released as part of the February 2024 Patch Tuesday updates.

CVE-2024-21351 - Windows SmartScreen Security Feature Bypass Vulnerability

This vulnerability allows an attacker to bypass Windows SmartScreen warnings and protections. SmartScreen is a security feature that scans web pages and files for threats.

To exploit this, an attacker would have to convince the user to open a malicious file that then could bypass SmartScreen checks and achieve remote code execution.

The CVSS v3 base score is 7.6 out of 10, putting it in the "High" severity bracket. However, Microsoft rated this moderate severity, likely because it requires social engineering for exploitation.

Microsoft reported that this vulnerability was being actively exploited in the wild at the time of disclosure. This makes rapidly patching this flaw critically important to prevent attacks leveraging this technique.

Successful exploitation could allow attackers to inject malicious code into SmartScreen processes for heightened system access and potential data exposure or denial of service.

Critical Vulnerabilities Patched in February 2024

Five vulnerabilities with critical severity score in February 2024 patch reports are:

CVE-2024-21410 - Microsoft Exchange Server Elevation of Privilege Vulnerability

This vulnerability allows an unauthenticated remote attacker to relay leaked Net-NTLMv2 hashes and essentially impersonate or authenticate as other users on a vulnerable Exchange Server.

The attacker could potentially obtain the Net-NTLMv2 credentials through a separate vulnerability then use them to exploit this flaw and gain unauthorized access acting as the victimized user.

With a CVSS v3 base score of 9.8 out of 10, this is deemed a "critical" severity vulnerability. The high score reflects the ease of remote exploitability and high potential impact in terms of compromising Exchange Server accounts.

Microsoft noted that while patches are available, additional steps are required including updating to Exchange Server 2019 Cumulative Update 14 (CU14) and enabling the Extended Protection for Authentication (EPA) feature. Careful patching and credential hygiene are vital to security.

CVE-2024-21413 - - Microsoft Outlook Remote Code Execution Vulnerability

This vulnerability allows an attacker to bypass Office Protected View and open specially crafted files in editing mode rather than protected mode. Doing so enables malicious code execution.

The CVSS v3 base score is 9.8 out of 10, putting it in the "critical" severity tier, which aligns with Microsoft's own rating. Successful exploitation could lead to malware execution, data exposure, or possible system takeover.

Attack vectors include convincing users to open malicious emails or attachments. Specific to this CVE, the Outlook Preview Pane is listed as a vector, meaning previewing alone could trigger exploitation and code execution.

Microsoft has released several patches, including some that require multiple installs across 32-bit and 64-bit Office 2016 versions to fully mitigate the vulnerability. Careful deployment is essential for protection.

This flaw highlights the importance of ongoing staff security training as well given the social engineering often required to exploit critical remote code execution bugs.

CVE-2024-21380 - Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability

This vulnerability allows an authenticated attacker to potentially access other tenants' data and applications within the multi-tenant Microsoft Dynamics Business Central/NAV software.

Successful exploitation requires the attacker to convince the user to click on a specially crafted URL. There is also a race condition that must occur for the exploit to fully succeed.

The CVSS v3 base score is 8.0 out of 10, putting it in the "high" severity tier. Along with Microsoft's own critical severity rating, this reflects the significance of the unauthorized data access and account control implications.

While authentication is required, the business-critical nature of the Dynamics platform makes this an important vulnerability to patch quickly. Successful exploitation could allow attackers to access sensitive customer information or perform unauthorized actions.

CVE-2024-21357 - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

This remote code execution vulnerability exists in the Windows PGM networking feature. PGM is a transport protocol that enables reliable data transfer to multiple receivers.

While Microsoft assigns this a Critical severity rating, the CVSS v3 base score is 7.5 out of 10. Exploitation is also limited to systems connected to the same network or virtual network as the attacker.

Attack complexity is considered high since additional actions are required by a threat actor prior to successful exploitation. Still, the security implications of remote code execution vulnerabilities makes this an important patch to address.

Applying the Microsoft updates for CVE-2024-21357 will mitigate the potential for exploits leveraging this network transport protocol vulnerability and executing arbitrary code on impacted endpoints.

CVE-2024-20684 - Windows Hyper-V Denial of Service Vulnerability

This denial-of-service (DoS) vulnerability exists in Windows Hyper-V, the native hypervisor-based virtualization platform in Windows.

The vulnerability could enable a guest virtual machine to adversely impact the functionality of the hosting Hyper-V server. While it scores only 6.5 CVSS and requires local access, a successful DoS attack could still lead to a shutdown of virtualized workloads.

Microsoft rated this bug as Critical severity, likely due to the potential disruption it could cause to business-critical virtual infrastructure. However, the attack complexity is higher since software would need to be specifically designed to trigger the flaw.

Applying Microsoft's patch for CVE-2024-20684 will mitigate the possibility of a virtual machine being able to crash or disable the Windows Hyper-V host system and associated services.

Vulnerabilities by Category

Microsoft addressed 73 total vulnerabilities in February, spanning:

Remote code execution vulnerabilities continue to dominate, representing 41% of the February updates. Successful exploits of these critical bugs enable arbitrary code execution for extensive system control.

The second most prevalent category is elevation of privilege at 22%. These empower threat actors to increase compromised user rights to further objectives.

While less frequent, spoofing, denial of service, and information disclosure flaws enable attack chains and should also undergo patching. Spoofing now represents 14% of February fixes.

Overall, systematically addressing these complex categories of risk is essential against today's advanced, determined adversaries across enterprise attack surfaces. Prioritizing by potential business impact is key.

Complete List of Vulnerabilities Patched in February 2024 Patch Tuesday

Download the complete list of vulnerabilities by products patched inFebruary 2024 Patch Tuesday here. 

Azure vulnerabilities

Azure Developer Tools vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Exchange Server vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Bottom Line

Microsoft's February 2024 Patch Tuesday release addressed 73 total vulnerabilities, headlined by fixes for two actively exploited zero-day flaws:

Additional key vulnerabilities included:

In total, 31 critical or high-severity remote code execution bugs were addressed this month along with 16 important elevation of privilege flaws. Information disclosure, spoofing, and denial of service issues rounded out the rest.

The extensive patch load stresses the importance of continuous monitoring, vulnerability management, and updating to counter sophisticated multi-stage attacks targeting enterprise networks. Prioritizing remediation efforts by potential business impact is crucial.

We'll continue providing monthly Patch Tuesday analyses highlighting major security updates needing visibility. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: