Microsoft distributes patches for 73 flaws, including two days of Windows Zero.

NewsroomPatch Tuesday / Vulnerability, February 14, 2024

As part of its Patch Tuesday updates for February 2024, Microsoft has made patches available to fix 73 security flaws across its software lineup, including two zero-day exploits.

Five of the 73 vulnerabilities are classified as Critical, 65 as Important, and three as Moderate in severity. Since the January 2024 Patch Tuesday updates, the Chromium-based Edge browser has been updated to address 24 additional flaws.

The following two flaws are listed as being actively attacked at the time of release:

Internet Shortcut Files Security Feature Bypass Vulnerability CVE-2024-2112 ( CVSS score: 8.1 )

Regarding CVE-2024-21351, Microsoft stated that the vulnerability “allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially result in some data exposure, lack of system availability, or both.”

An attacker may be able to run arbitrary code and get around SmartScreen protections by successfully exploiting the flaw. The threat actor must, however, send the user a malicious file and persuade them to open it in order for the attack to succeed.

Similar to CVE-2024-21412, which allows an unauthenticated attacker to send a specially created file to the target user, it also allows them to get around security checks that are displayed.

The attacker would n’t be able to make a user view the attacker-controlled content, though. Redmond made a note. Instead, by clicking on the file link, the attacker would need to persuade them to act.

The second bypass bug found in SmartScreen after the tech behemoth CVE-2023-36025 ( CVSS score: 8.8 ), which was fixed in November 2023. Since then, numerous hacking groups have taken advantage of the flaw to spread Mispadu, Phemedrone Stealer, and DarkGate.

Trend Micro described an attack campaign by Water Hydra ( also known as DarkCasino ) that used a sophisticated zero-day attack chain and CVE-2024-2112 to target financial market traders, allowing threat actors to get around SmartScreen checks.

Water Hydra, which was first discovered in 2021, has a history of using zero-day exploits to launch attacks on banks, cryptocurrency exchanges, trading platforms, gambling websites, and casinos in order to create the DarkMe trojan ( CVE- 2023- 38831, CVSS score: 7.8).

The “economically motivated” hacking group was transformed into a completely new advanced persistent threat ( APT ) by Chinese cybersecurity company NSFOCUS late last year.

According to Trend Micro,” Water Hydra updated its infection chain in January 2024 by using CVE-2024-2112 to run a malicious Microsoft Installer File ( .MSI), streamlining the DarkMe infection process.”

The U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) has since added both vulnerabilities to its list of Known Exploited Vulnerabilities (KEV ), urging federal agencies to do so by March 5, 2024.

Microsoft also fixed five serious flaws:

Windows Pragmatic General Multicast ( PGM ) Remote Code Execution VulnerabilityCVE-2024-21357 ( CVSS score: 7.5 )
Microsoft Dynamics Business Central/NAV Information Disclosure VulnerabilityCVE-2024-21380 ( CVSS score: 8.0)
Microsoft Exchange Server Elevation of Privilege VulnerabilityCVE-2024-21410 ( CVSS score: 9.8 )
Microsoft Outlook Remote Code Execution VulnerabilityCVE-2024-2113 ( CVSS score: 9.8 )

According to Satnam Narang, senior staff research engineer at Tenable,” CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server.” According to Microsoft, attackers are more likely to take advantage of this flaw.

A targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash could be exposed if this vulnerability is exploited, and it could then be passed through a pass-the-hash attack to an exposed Exchange Server, enabling the attacker to identify the target user.

An attacker could take advantage of 15 remote code execution flaws in the Microsoft WDAC OLE DB provider for SQL Server by deceiving an authenticated user into using OLEDB to connect to a malicious SQL server.

A fix for CVE-2023-50387 ( CVSS score: 7.5 ), a 24-year-old design flaw in the DNSSEC specification that can be misused to use up CPU resources and slow down DNS resolvers, leading to denial of service ( DoS), rounds out the patch.

The National Research Center for Applied Cybersecurity ( ATHENE ) in Darmstadt has given the vulnerability the codename KeyTrap.

According to ATHENE,” the researchers” showed that a single DNS packet can exhaust the CPU and halt popular public DNS providers like Google Public DNS and Cloudflare. In fact, it is possible to delay the widely used BIND 9 DNS implementation for up to 16 hours.