Microsoft’s scheduled Patch Tuesday safety replace for February consists of fixes for 2 zero-day safety vulnerabilities beneath energetic assault, plus 71 different flaws throughout a variety of its merchandise.
In all, 5 of the vulnerabilities for which Microsoft issued a February patch have been rated as crucial, 66 as vital, and two as reasonable.
The replace consists of patches for Microsoft Workplace, Home windows, Microsoft Change Server, the corporate’s Chromium-based Edge browser, Azure Energetic Listing, Microsoft Defender for Endpoint, and Skype for enterprise. Tenable recognized 30 of the 73 CVEs as distant code execution (RCE) vulnerabilities; 16 as enabling privilege escalation; 10 as tied to spoofing errors; 9 as enabling distributed denial-of-service assaults; 5 as info disclosure flaws; and three as safety bypass points.
Water Hydra Exploits Zero-Days Focusing on Monetary Merchants
A risk actor dubbed as Water Hydra (aka Darkish On line casino) is at present leveraging one of many zero-day vulnerabilities — an Web Shortcut Recordsdata safety characteristic bypass vulnerability tracked as CVE-2024-21412 (CVSS 8.1) — in a malicious marketing campaign concentrating on organizations within the monetary sector.
Researchers at Pattern Micro — amongst a number of who found and reported the flaw to Microsoft — described it as tied to a bypass of a beforehand patched SmartScreen vulnerability (CVE-2023-36025, CVSS 8.8) and affecting all supported Home windows variations. Water Hydra actors are utilizing CVE-2024-21412 to achieve preliminary entry to techniques belonging to monetary merchants and drop the DarkMe distant entry Trojan on them.
To take advantage of the vulnerability, an attacker would first have to ship a malicious file to a focused consumer and get them to open it, mentioned Saeed Abbasi, supervisor of vulnerability researcher at Qualys, in emailed commentary. “The impression of this vulnerability is profound, compromising safety and undermining belief in protecting mechanisms like SmartScreen,” Abbasi mentioned.
SmartScreen Bypass Zero-Day
The opposite zero-day that Microsoft disclosed on this month’s safety replace impacts Defender SmartScreen. In response to Microsoft, CVE-2024-21351 is a medium-severity bug that enables an attacker to bypass SmartScreen protections and inject code into it to probably acquire distant code execution capabilities. A profitable exploit may result in restricted knowledge publicity, techniques availability points, or each, Microsoft mentioned. No particulars can be found on who precisely is likely to be exploiting the bug and for what objective.
In ready feedback for Darkish Studying, Mike Walters, president and co-founder of Action1, mentioned the vulnerability is tied to the way wherein Microsoft’s Mark of the Net (a characteristic for figuring out untrusted content material from the Web) interacts with the SmartScreen characteristic. “For this vulnerability, an attacker should distribute a malicious file to a consumer and persuade them to open it, permitting them to bypass the SmartScreen checks and probably compromise the system’s safety,” Walters mentioned.
Excessive-Precedence Bugs
Among the many 5 crucial vulnerabilities within the February replace, the one which requires precedence consideration is CVE-2024-21410, a privilege escalation vulnerability in Change Server, a favourite goal for attackers. An attacker may use the bug to reveal a focused consumer’s Web-New Know-how LAN Supervisor (NTLM) model 2 hash after which relay that credential towards an affected Change Server and authenticate to it because the consumer.
Flaws like this that disclose delicate info like NTLM hashes will be very precious to attackers, mentioned Satnam Narang, senior employees analysis engineer at Tenable in an announcement. “A Russian-based risk actor leveraged the same vulnerability to hold out assaults — CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023,” he mentioned.
To patch the flaw, Change admins might want to guarantee they’ve put in Change Server 2019 Cumulative Replace 14 (CU14) replace and make sure the Prolonged Safety for Authentication (EPA) characteristic is enabled, Pattern Micro mentioned. The safety vendor pointed to an article that Microsoft has revealed that gives extra info on how one can patch the vulnerability.
Microsoft has assigned CVE-2024-21410 a most severity ranking of 9.1 out of 10, which makes it a crucial vulnerability. However sometimes privilege escalation vulnerabilities have a tendency to attain comparatively low on the CVSS vulnerability ranking scale which belies the true nature of the risk they current, mentioned Kev Breen, senior director of risk analysis at Immersive Labs. “Regardless of their low rating, [privilege escalation] vulnerabilities are extremely wanted by risk actors and utilized in nearly each cyber incident,” Breen mentioned in an announcement. “As soon as an attacker has entry to a consumer account by means of social engineering or another assault, they’ll subsequent search to escalate their permissions both to native admin or area admin.”
Walters from Action1 highlighted CVE-2024-21413, an RCE flaw in Microsoft Outlook as a vulnerability that directors would possibly wish to prioritize from February’s batch. The crucial severity flaw with a close to most severity rating of 9.8 includes low assault complexity, no consumer interplay, and no particular privileges required for an attacker to use it. “An attacker can exploit this vulnerability by way of the preview pane in Outlook, permitting them to bypass Workplace Protected View and power information to open in edit mode, fairly than within the safer protected mode,” Walters mentioned.
Microsoft itself recognized the vulnerability as one thing that attackers are much less prone to assault. However, Walters mentioned the vulnerability poses a considerable risk for organizations and requires immediate consideration.