Microsoft has released its February Patch Tuesday security updates, addressing 73 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This includes fixes for two zero-day vulnerabilities that are being actively exploited in the wild.
The two zero-days are a Windows SmartScreen bypass (CVE-2024-21351) and an Internet Shortcut files bypass (CVE-2024-21412). Both allow attackers to evade security warnings and potentially execute malicious code.
Other critical flaws include a remote code execution bug in Exchange Server (CVE-2024-21410) and Outlook (CVE-2024-21413), an information disclosure issue in Dynamics Business Central (CVE-2024-21380), and denial of service bugs in Windows Hyper-V (CVE-2024-20684) and Windows PGM (CVE-2024-21357).
In total, Microsoft addressed 5 critical vulnerabilities and 68 important ones. The most common issues are remote code execution (31 bugs), elevation of privilege (16 bugs), and spoofing (10 bugs).
Key products receiving security updates include Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, and Microsoft Edge. Administrators should prioritize testing and deploying patches for the actively exploited zero-days and remote code execution flaws.
Additional steps may be required to fully remediate some vulnerabilities, such as enabling Extended Protection for Authentication in Exchange Server. Overall, applying these critical monthly security updates helps harden environments against emerging threats.
Update for Windows 11 users: Microsoft has published KB5034765 for Windows 11. Visit this page to learn what is there in the KB5034765 update.
Update for Windows 10 users: Microsoft has published KB5034763 for Windows 10. Visit this page to learn what is there in the KB5034763 update.
Microsoft's February 2024 Patch Tuesday addressed 73 vulnerabilities, including two actively exploited zero-days: CVE-2024-21351 (Windows SmartScreen bypass) and CVE-2024-21412 (Internet Shortcut files bypass).
Key highlights are:
Total flaws: 73 total bugs fixed, with 5 critical and 68 important.
Vulnerability types: Remote code execution (31 bugs) leads, followed by elevation of privilege (16) and spoofing (10).
Zero-days: The two zero-days allow bypassing security warnings and executing malicious code.
Critical bugs: Other critical issues include RCEs in Exchange Server, Outlook, information disclosure in Dynamics, and DoS in Hyper-V and Windows PGM.
Notable issues: Important RCEs in .NET, ActiveX, Office components. Privilege escalations in Windows kernel and Azure services.
Key products: Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, Microsoft Edge.
Administrators should prioritize testing and deployment of patches, focusing on the actively exploited zero-days and remote code executions. These February updates continue to secure Microsoft's ecosystem against emerging threats.
Two 0-days patches released in February 2024 report are:
CVE ID
|
Description
|
CVSSv3
|
Severity
|
---|---|---|---|
CVE-2024-21412
|
Internet Shortcut Files Security Feature Bypass Vulnerability
|
8.1
|
Important
|
CVE-2024-21351
|
Windows SmartScreen Security Feature Bypass Vulnerability
|
7.6
|
Moderate
|
Vulnerability type: Security Feature Bypass
Affected product: Internet Shortcut Files
CVSS v3 base score: 8.1
Severity rating: Important
This vulnerability allows an unauthenticated attacker to bypass the security warning dialogs typically displayed when a user opens an Internet Shortcut (.url) file from an untrusted source.
Successful exploitation requires the attacker to convince the user to open a specially crafted malicious .url file. This could be done via social engineering through email, messaging apps, forums, etc. Once opened, the file would bypass the warnings about potentially malicious content from the internet, enabling further attacks.
The CVSS v3 base score is 8.1 out of 10, indicating a vulnerability that is "high" severity. However, Microsoft rates this as "Important" rather than "Critical" in their own severity scale, likely because it requires user interaction to exploit.
The fact that Microsoft observed active exploitation of this zero-day vulnerability before a patch was issued underscores the urgency of applying the fix released as part of the February 2024 Patch Tuesday updates.
Vulnerability type: Security Feature Bypass
Affected product: Windows SmartScreen
CVSS v3 base score: 7.6
Severity rating: Moderate
This vulnerability allows an attacker to bypass Windows SmartScreen warnings and protections. SmartScreen is a security feature that scans web pages and files for threats.
To exploit this, an attacker would have to convince the user to open a malicious file that then could bypass SmartScreen checks and achieve remote code execution.
The CVSS v3 base score is 7.6 out of 10, putting it in the "High" severity bracket. However, Microsoft rated this moderate severity, likely because it requires social engineering for exploitation.
Microsoft reported that this vulnerability was being actively exploited in the wild at the time of disclosure. This makes rapidly patching this flaw critically important to prevent attacks leveraging this technique.
Successful exploitation could allow attackers to inject malicious code into SmartScreen processes for heightened system access and potential data exposure or denial of service.
Five vulnerabilities with critical severity score in February 2024 patch reports are:
CVE
|
Description
|
CVSS Score
|
CVE-2024-21410
|
Microsoft Exchange Server Elevation of Privilege Vulnerability
|
9.8
|
CVE-2024-21413
|
Microsoft Outlook Remote Code Execution Vulnerability
|
9.8
|
CVE-2024-21380
|
Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
|
8.0
|
CVE-2024-21357
|
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
|
7.5
|
CVE-2024-20684
|
Windows Hyper-V Denial of Service Vulnerability
|
6.5
|
Vulnerability type: Elevation of Privilege
Affected product: Microsoft Exchange Server
CVSS v3 base score: 9.8
Severity rating: Critical
This vulnerability allows an unauthenticated remote attacker to relay leaked Net-NTLMv2 hashes and essentially impersonate or authenticate as other users on a vulnerable Exchange Server.
The attacker could potentially obtain the Net-NTLMv2 credentials through a separate vulnerability then use them to exploit this flaw and gain unauthorized access acting as the victimized user.
With a CVSS v3 base score of 9.8 out of 10, this is deemed a "critical" severity vulnerability. The high score reflects the ease of remote exploitability and high potential impact in terms of compromising Exchange Server accounts.
Microsoft noted that while patches are available, additional steps are required including updating to Exchange Server 2019 Cumulative Update 14 (CU14) and enabling the Extended Protection for Authentication (EPA) feature. Careful patching and credential hygiene are vital to security.
Vulnerability type: Remote Code Execution
Affected product: Microsoft Outlook
CVSS v3 base score: 9.8
Severity rating: Critical
This vulnerability allows an attacker to bypass Office Protected View and open specially crafted files in editing mode rather than protected mode. Doing so enables malicious code execution.
The CVSS v3 base score is 9.8 out of 10, putting it in the "critical" severity tier, which aligns with Microsoft's own rating. Successful exploitation could lead to malware execution, data exposure, or possible system takeover.
Attack vectors include convincing users to open malicious emails or attachments. Specific to this CVE, the Outlook Preview Pane is listed as a vector, meaning previewing alone could trigger exploitation and code execution.
Microsoft has released several patches, including some that require multiple installs across 32-bit and 64-bit Office 2016 versions to fully mitigate the vulnerability. Careful deployment is essential for protection.
This flaw highlights the importance of ongoing staff security training as well given the social engineering often required to exploit critical remote code execution bugs.
Vulnerability type: Information Disclosure
Affected product: Microsoft Dynamics Business Central/NAV
CVSS v3 base score: 8.0
Severity rating: Critical
This vulnerability allows an authenticated attacker to potentially access other tenants' data and applications within the multi-tenant Microsoft Dynamics Business Central/NAV software.
Successful exploitation requires the attacker to convince the user to click on a specially crafted URL. There is also a race condition that must occur for the exploit to fully succeed.
The CVSS v3 base score is 8.0 out of 10, putting it in the "high" severity tier. Along with Microsoft's own critical severity rating, this reflects the significance of the unauthorized data access and account control implications.
While authentication is required, the business-critical nature of the Dynamics platform makes this an important vulnerability to patch quickly. Successful exploitation could allow attackers to access sensitive customer information or perform unauthorized actions.
Vulnerability type: Remote Code Execution
Affected product: Windows Pragmatic General Multicast (PGM)
CVSS v3 base score: 7.5
Severity rating: Critical
This remote code execution vulnerability exists in the Windows PGM networking feature. PGM is a transport protocol that enables reliable data transfer to multiple receivers.
While Microsoft assigns this a Critical severity rating, the CVSS v3 base score is 7.5 out of 10. Exploitation is also limited to systems connected to the same network or virtual network as the attacker.
Attack complexity is considered high since additional actions are required by a threat actor prior to successful exploitation. Still, the security implications of remote code execution vulnerabilities makes this an important patch to address.
Applying the Microsoft updates for CVE-2024-21357 will mitigate the potential for exploits leveraging this network transport protocol vulnerability and executing arbitrary code on impacted endpoints.
Vulnerability type: Denial of Service
Affected product: Windows Hyper-V
CVSS v3 base score: 6.5
Severity rating: Critical
This denial-of-service (DoS) vulnerability exists in Windows Hyper-V, the native hypervisor-based virtualization platform in Windows.
The vulnerability could enable a guest virtual machine to adversely impact the functionality of the hosting Hyper-V server. While it scores only 6.5 CVSS and requires local access, a successful DoS attack could still lead to a shutdown of virtualized workloads.
Microsoft rated this bug as Critical severity, likely due to the potential disruption it could cause to business-critical virtual infrastructure. However, the attack complexity is higher since software would need to be specifically designed to trigger the flaw.
Applying Microsoft's patch for CVE-2024-20684 will mitigate the possibility of a virtual machine being able to crash or disable the Windows Hyper-V host system and associated services.
Microsoft addressed 73 total vulnerabilities in February, spanning:
Remote Code Execution - 31
Elevation of Privilege – 16
Information Disclosure - 5
Security Feature Bypass – 3
Denial of Service – 9
Spoofing – 10
Remote code execution vulnerabilities continue to dominate, representing 41% of the February updates. Successful exploits of these critical bugs enable arbitrary code execution for extensive system control.
The second most prevalent category is elevation of privilege at 22%. These empower threat actors to increase compromised user rights to further objectives.
While less frequent, spoofing, denial of service, and information disclosure flaws enable attack chains and should also undergo patching. Spoofing now represents 14% of February fixes.
Overall, systematically addressing these complex categories of risk is essential against today's advanced, determined adversaries across enterprise attack surfaces. Prioritizing by potential business impact is key.
Download the complete list of vulnerabilities by products patched inFebruary 2024 Patch Tuesday here.
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability
|
No
|
No
|
9.8
|
|
Microsoft Azure Site Recovery Elevation of Privilege Vulnerability
|
No
|
No
|
9.3
|
|
Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability
|
No
|
No
|
9
|
|
Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
|
No
|
No
|
9
|
|
Azure Connected Machine Agent Elevation of Privilege Vulnerability
|
No
|
No
|
7.3
|
|
Microsoft Azure Active Directory B2C Spoofing Vulnerability
|
No
|
No
|
6.8
|
|
Azure Stack Hub Spoofing Vulnerability
|
No
|
No
|
6.5
|
|
Microsoft Azure File Sync Elevation of Privilege Vulnerability
|
No
|
No
|
5.3
|
Azure Developer Tools vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Azure DevOps Server Remote Code Execution Vulnerability
|
No
|
No
|
7.5
|
Browser vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
|
No
|
No
|
8.3
|
|
Chromium: CVE-2024-1284 Use after free in Mojo
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-1283 Heap buffer overflow in Skia
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-1077 Use after free in Network
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-1060 Use after free in Canvas
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-1059 Use after free in WebRTC
|
No
|
No
|
N/A
|
Developer Tools vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
.NET Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
.NET Denial of Service Vulnerability
|
No
|
No
|
7.5
|
ESU Windows vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows OLE Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft ActiveX Data Objects Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Printing Service Spoofing Vulnerability
|
No
|
No
|
7.5
|
|
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
|
No
|
No
|
7.5
|
|
Microsoft ODBC Driver Remote Code Execution Vulnerability
|
No
|
No
|
7.5
|
|
Internet Connection Sharing (ICS) Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
Windows DNS Information Disclosure Vulnerability
|
No
|
No
|
7.1
|
|
Windows Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
|
No
|
No
|
6.5
|
|
Windows Network Address Translation (NAT) Denial of Service Vulnerability
|
No
|
No
|
5.9
|
|
Windows Network Address Translation (NAT) Denial of Service Vulnerability
|
No
|
No
|
5.9
|
|
Windows Kernel Information Disclosure Vulnerability
|
No
|
No
|
4.6
|
|
MITRE: CVE-2023-50387 DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers
|
No
|
No
|
N/A
|
Exchange Server vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Exchange Server Elevation of Privilege Vulnerability
|
No
|
No
|
9.8
|
Microsoft Dynamics vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
|
No
|
No
|
8.2
|
|
Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
|
No
|
No
|
8
|
|
Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
|
No
|
No
|
7.6
|
|
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
|
No
|
No
|
7.6
|
|
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
|
No
|
No
|
7.6
|
|
Dynamics 365 Sales Spoofing Vulnerability
|
No
|
No
|
7.6
|
|
Dynamics 365 Sales Spoofing Vulnerability
|
No
|
No
|
7.6
|
|
Dynamics 365 Field Service Spoofing Vulnerability
|
No
|
No
|
7.6
|
Microsoft Office vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Outlook Remote Code Execution Vulnerability
|
No
|
No
|
9.8
|
|
Microsoft Outlook Remote Code Execution Vulnerability
|
No
|
No
|
8
|
|
Microsoft Word Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Office Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Office OneNote Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Outlook Elevation of Privilege Vulnerability
|
No
|
No
|
7.1
|
|
Skype for Business Information Disclosure Vulnerability
|
No
|
No
|
5.7
|
|
Microsoft Teams for Android Information Disclosure
|
No
|
No
|
5
|
System Center vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
Windows vulnerabilities
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Internet Shortcut Files Security Feature Bypass Vulnerability
|
Yes
|
No
|
8.1
|
|
Windows Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Win32k Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows SmartScreen Security Feature Bypass Vulnerability
|
Yes
|
No
|
7.6
|
|
Windows DNS Client Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
Windows Kernel Remote Code Execution Vulnerability
|
No
|
No
|
6.8
|
|
Windows Hyper-V Denial of Service Vulnerability
|
No
|
No
|
6.5
|
|
Windows USB Generic Parent Driver Remote Code Execution Vulnerability
|
No
|
No
|
6.4
|
|
Windows Kernel Security Feature Bypass Vulnerability
|
No
|
No
|
5.5
|
|
Trusted Compute Base Elevation of Privilege Vulnerability
|
No
|
No
|
4.1
|
Microsoft's February 2024 Patch Tuesday release addressed 73 total vulnerabilities, headlined by fixes for two actively exploited zero-day flaws:
CVE-2024-21412 (Internet Shortcut File Security Feature Bypass)
CVE-2024-21351 (Windows SmartScreen Security Feature Bypass)
Additional key vulnerabilities included:
CVE-2024-21410 - Critical Exchange Server Elevation of Privilege issue that was also exploited in the wild.
CVE-2024-21413 - Critical remote code execution bug in Outlook.
Multiple critical remote code execution and privilege escalation vulnerabilities across Windows, Microsoft Office, Dynamics, and other products.
In total, 31 critical or high-severity remote code execution bugs were addressed this month along with 16 important elevation of privilege flaws. Information disclosure, spoofing, and denial of service issues rounded out the rest.
The extensive patch load stresses the importance of continuous monitoring, vulnerability management, and updating to counter sophisticated multi-stage attacks targeting enterprise networks. Prioritizing remediation efforts by potential business impact is crucial.
We'll continue providing monthly Patch Tuesday analyses highlighting major security updates needing visibility. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.