Microsoft has launched patches to handle 73 safety flaws spanning its software program lineup as a part of its Patch Tuesday updates for February 2024, together with two zero-days which have come below lively exploitation.
Of the 73 vulnerabilities, 5 are rated Essential, 65 are rated Essential, and three and rated Average in severity. That is along with 24 flaws which were mounted within the Chromium-based Edge browser for the reason that launch of the January 2024 Patch Tuesday updates.
The 2 flaws which might be listed as below lively assault on the time of launch are beneath –
- CVE-2024-21351 (CVSS rating: 7.6) – Home windows SmartScreen Safety Function Bypass Vulnerability
- CVE-2024-21412 (CVSS rating: 8.1) – Web Shortcut Recordsdata Safety Function Bypass Vulnerability
“The vulnerability permits a malicious actor to inject code into SmartScreen and probably acquire code execution, which may probably result in some information publicity, lack of system availability, or each,” Microsoft stated about CVE-2024-21351.
Profitable exploitation of the flaw may enable an attacker to avoid SmartScreen protections and run arbitrary code. Nonetheless, for the assault to work, the menace actor should ship the person a malicious file and persuade the person to open it.
CVE-2024-21412, in the same method, permits an unauthenticated attacker to bypass displayed safety checks by sending a specifically crafted file to a focused person.
“Nonetheless, the attacker would don’t have any option to pressure a person to view the attacker-controlled content material.” Redmond famous. “As an alternative, the attacker must persuade them to take motion by clicking on the file hyperlink.”
CVE-2024-21351 is the second bypass bug to be found in SmartScreen after CVE-2023-36025 (CVSS rating: 8.8), which was plugged by the tech large in November 2023. The flaw has since been exploited by a number of hacking teams to proliferate DarkGate, Phemedrone Stealer, and Mispadu.
Pattern Micro, which detailed an assault marketing campaign undertaken by Water Hydra (aka DarkCasino) concentrating on monetary market merchants by the use of a complicated zero-day assault chain leveraging CVE-2024-21412, described CVE-2024-21412 as a bypass for CVE-2023-36025, thereby enabling menace actors to evade SmartScreen checks.
Water Hydra, first detected in 2021, has a monitor document of launching assaults in opposition to banks, cryptocurrency platforms, buying and selling companies, playing websites, and casinos to ship a trojan referred to as DarkMe utilizing zero-day exploits, together with the WinRAR flaw that got here to mild in August 2023 (CVE-2023-38831, CVSS rating: 7.8).
Late final 12 months, Chinese language cybersecurity firm NSFOCUS graduated the “economically motivated” hacking group to a completely new superior persistent menace (APT).
“In January 2024, Water Hydra up to date its an infection chain exploiting CVE-2024-21412 to execute a malicious Microsoft Installer File (.MSI), streamlining the DarkMe an infection course of,” Pattern Micro stated.
Each vulnerabilities have since been added to the Recognized Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Safety Company (CISA), urging federal businesses to use the most recent updates by March 5, 2024.
Additionally patched by Microsoft are 5 important flaws –
- CVE-2024-20684 (CVSS rating: 6.5) – Home windows Hyper-V Denial of Service Vulnerability
- CVE-2024-21357 (CVSS rating: 7.5) – Home windows Pragmatic Common Multicast (PGM) Distant Code Execution Vulnerability
- CVE-2024-21380 (CVSS rating: 8.0) – Microsoft Dynamics Enterprise Central/NAV Info Disclosure Vulnerability
- CVE-2024-21410 (CVSS rating: 9.8) – Microsoft Alternate Server Elevation of Privilege Vulnerability
- CVE-2024-21413 (CVSS rating: 9.8) – Microsoft Outlook Distant Code Execution Vulnerability
“CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Alternate Server,” Satnam Narang, senior employees analysis engineer at Tenable, stated in an announcement. “This flaw is extra more likely to be exploited by attackers in line with Microsoft.”
“Exploiting this vulnerability may outcome within the disclosure of a focused person’s Internet-New Expertise LAN Supervisor (NTLM) model 2 hash, which may very well be relayed again to a susceptible Alternate Server in an NTLM relay or pass-the-hash assault, which might enable the attacker to authenticate because the focused person.”
The safety replace additional resolves 15 distant code execution flaws in Microsoft WDAC OLE DB supplier for SQL Server that an attacker may exploit by tricking an authenticated person into making an attempt to hook up with a malicious SQL server through OLEDB.
Rounding off the patch is a repair for CVE-2023-50387 (CVSS rating: 7.5), a 24-year-old design flaw within the DNSSEC specification that may be abused to exhaust CPU sources and stall DNS resolvers, leading to a denial-of-service (DoS).
The vulnerability has been codenamed KeyTrap by the Nationwide Analysis Heart for Utilized Cybersecurity (ATHENE) in Darmstadt.
“[The researchers] demonstrated that simply with a single DNS packet the assault can exhaust the CPU and stall all extensively used DNS implementations and public DNS suppliers, equivalent to Google Public DNS and Cloudflare,” ATHENE stated. “In actual fact, the favored BIND 9 DNS implementation could be stalled for so long as 16 hours.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
