February 2024 Patch Tuesday
Microsoft Resolves 73 Unique CVEs on Patch Tuesday
This Patch Tuesday, Microsoft has resolved 73 new unique CVEs, two of which are confirmed to be exploited, five of which are rated as critical.
In addition, seven CVEs have been reissued, one of which dates back to 2021 and was publicly disclosed and exploited on original release. The reissue is information only, but worth giving a second look to be sure you are covered.
Microsoft updates this month impact the Windows OS, Office 365, Edge, Windows Defender, Sharepoint, SQL Server, Exchange Server, .Net (reissued), multiple Azure components and a few odds and ends.
Microsoft Zero-days
Three CVEs issued or reissued this month had confirmed exploits in the wild. Starting with the reissue:
- Microsoft reissued a spoofing vulnerability in Windows AppX Installer (CVE-2021-43890). The reissue is information only this month, but if you look at the update from Dec. 27, 2023, you can see Microsoft is still receiving reports and increased activity leveraging phishing techniques to convince users to download and install malicious installers. It is recommended to review the mitigations and workarounds for this vulnerability in addition to the App Installer update.
- Microsoft has resolved a Security Feature Bypass vulnerability in Internet Shortcut Files (CVE-2024-21412) which could allow an attacker to target a user with a specially crafted file designed to bypass security checks. The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.1 — but it has been confirmed exploited in the wild, so this should be treated as a critical priority. The vulnerability affects all versions of the Windows OS.
- Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2024-21351) that could allow an attacker to send a malicious file to a user that can bypass the mark of the web zone identifier and bypass SmartScreen security measures. The vulnerability has a CVSS v3.1 base score of 7.6, and Microsoft has rated the vulnerability as moderate even though the vulnerability is confirmed to be exploited. It is recommended to treat this vulnerability as a Critical priority due to the risk of exploit. The vulnerability affects all versions of the Windows OS.
Additional updates
- Microsoft has resolved an Elevation of Privilege vulnerability in Exchange Server (CVE-2024-21410) that could allow an attacker to gain SYSTEM privileges. The vulnerability is rated critical and has a CVSS v3.1 base score of 9.8. If you have previously enabled NTLM credentials Relay Protections you have mitigated much of the risk of this type of vulnerability, but Microsoft recommends updating to fully resolve the CVE. If you have not installed the more recent CU or turned on the Extended Protection for Authentication, this is more urgent. If you have enabled the authentication features, the risk is reduced and this update can work its way through your normal update process.
- Microsoft has resolved a Remote Code Execution vulnerability (CVE-2024-21357) that could let an attacker exploit code in the same network segment or an adjacent one. There are steps the attacker would need to take in preparation. The CVE has been rated critical, has a CVSS v3.1 base score of 7.5 and affects the Windows OS.
- Microsoft has resolved a Denial of Service vulnerability in Windows Hyper-V (CVE-2024-20684) that could allow an attacker to affect the functionality of the Hyper-V host from a Hyper-V guest. The CVE is rated as critical and has a CVSS v3.1 base score of 6.5. The CVE affects Windows 11 and Server 2022.
- Microsoft has resolved a Remote Code Execution vulnerability in Microsoft Outlook (CVE-2024-21413) that could let an attacker bypass the Office Protected View and trigger a malicious file to open in editing mode. The CVE is rated as critical and has a CVSS v3.1 base score of 9.8. The vulnerability exists in Office 2016 and 2019, Office LTSC 2021 and 365 Apps for Enterprise. The danger of this CVE is increased by allowing the preview pane to be an attack vector; in addition to RCE, an attacker could also gain access to local NTLM credential information on the exploited system.
Ivanti Connect Secure, Policy Secure and ZTA Gateway update
Ivanti has patches for five CVEs affecting their Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways. Three of these vulnerabilities have been exploited in the wild, and Ivanti is encouraging customers to patch immediately.
Additional information can be found in the Ivanti blog post from Feb. 8 and in an update from CISA recommending the actions organizations should be taking released on Feb. 9
Third-party updates
Adobe has released six updates including an APSB24-07 for Adobe Acrobat and Reader. The Acrobat and Reader update resolves 13 CVEs, including three critical CVEs, and is the most urgent of the Adobe updates released.
Update priorities
- Microsoft Windows is the priority this month. While all updates released by Microsoft were rated critical, the OS update resolves the Zero-day vulnerabilities and reduces the immediate risks.
- Review the spoofing vulnerability in Windows AppX Installer (CVE-2021-43890) to ensure you have the mitigations in place, as there is still threat actor activity targeting this vulnerability.
- While the Microsoft Office vulnerability is not as urgent as the OS this month, you don’t want to let this one sit. It might be an enticing target for threat actors to develop an exploit.
- Organizations running Exchange Server should verify they have turned on Extended Protection for Authentication and ensure the Exchange Server update this month gets deployed in a reasonable timeframe.