Microsoft has released fixes for vulnerabilities detailed in 73 CVEs, including two zero-days being exploited in the wild on Patch Tuesday.
The releases, on 13 February, also included patches for critical remote code execution flaws and a critical elevation of privilege in Exchange.
Adam Barnett, lead software engineer at security outfit Rapid 7, said six browser flaws had been notified separately during the month.
Regarding the Patch Tuesday announcement, he said: "CVE-2024-21351 describes a security feature bypass vulnerability in Windows SmartScreen. Microsoft has already seen evidence of exploitation in the wild. Successful exploitation requires that the attacker convince the user to open a malicious file.
{loadposition sam08}"Successful exploitation bypasses the SmartScreen user experience and potentially allows code injection into SmartScreen to achieve remote code execution. Of interest: other critical SmartScreen bypass vulnerabilities from the past couple of years (e.g. CVE-2023-36025 from November 2023) have not included language describing code injection into SmartScreen itself, focusing instead on the security feature bypass only. Microsoft’s own researchers reported both CVE-2024-21351 and CVE-2023-36025."
Barnett said Microsoft Office typically shielded users from a variety of attacks by opening files with Mark of the Web in Protected View, which meant Office would render the document without fetching potentially malicious external resources.
"CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file," he said. "The Outlook Preview Pane is listed as an attack vector, and no user interaction is required.
"Microsoft assesses this vulnerability as a critical CVSSv3 base score of 9.8, as well as critical under their own proprietary severity ranking scale. Administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note that the advisory lists no fewer than five separate patches which must be installed to achieve remediation; individual update KB articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed."
Another CVE patched in February was CVE-2024-21357. Barnett said this was a flaw in Windows Pragmatic General Multicast.
"Although the CVSSv3 base score is a relatively mild 7.5 thanks to the high attack complexity and the same-subnet limitation of the attack, Microsoft rates this vulnerability as critical under its own proprietary severity scale," he elaborated.
"A discrepancy between the two severity ranking systems is always worth noting. A further clue that Microsoft considers this vulnerability particularly serious: patches are available for Windows Server 2008, which is now completely end of life. The advisory is light on detail when it comes to exploitation methods; other recent critical RCE vulnerabilities in Windows PGM have involved Microsoft Message Queuing Service."
Barnett said while Exchange admins had enjoyed a rare two-month break from patching, February saw the publication of CVE-2024-21410, a critical elevation of privilege vulnerability in Exchange.
"Microsoft explains that an attacker could use NTLM credentials previously acquired via another means to act as the victim on the Exchange server using an NTLM relay attack," he explained.
"One possible avenue for that credential acquisition: an NTLM credential-leaking vulnerability in Outlook such as CVE-2023-36761, which Rapid7 wrote about back in September 2023.
"Compounding the concern for defenders: Exchange 2016 is listed as affected, but no patch is yet listed on the CVE-2024-21410 advisory. Exchange 2019 patches are available for CU13 and the newly minted CU14 series.
"According to Microsoft, Exchange installations where Extended Protection for Authentication is already enabled are protected, although Microsoft strongly recommends installing the latest Cumulative Update.
"Further resources are provided in the advisory, including Microsoft’s generic guidance on mitigating Pass the Hash-style attacks, as well as Microsoft’s Exchange Server Health Checker script, which includes an overview of EPA status. The Exchange 2019 CU14 update series enables EPA by default."
Mike Walters, president and co-founder of risk-based patch management software vendor Action1, said another flaw patched in February was a newly discovered zero-day vulnerability in Microsoft Windows 10 and later, as well as Microsoft Windows Server 2008 and later.
"This involves a Security Feature Bypass related to Internet Shortcut Files, identified as CVE-2024-21412. This vulnerability holds an 'important' impact rating, with a severity score of 8.1 on the CVSS scale," he noted. "Characterised by low complexity, it does not demand any special privileges to exploit but does require user interaction to be successful.
"In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly.
"Despite the vulnerability not being publicly disclosed, it has been found to be exploitable. It is crucial organizations to implement the official patches and updates released by Microsoft to address this vulnerability effectively.