Microsoft has released patches to fix 73 flaws across its product suite on February 2024 Patch Tuesday, including 2 zero-day bugs that are being actively exploited in the wild. 5 of the vulnerabilities are rated critical, 65 are rated important, and three are rated moderate severity. Microsoft releases patches for its Chromium-based Edge browser separately and has issued 24 patches to fix vulnerabilities since January 2024 Patch Tuesday.
The two zero-day vulnerabilities are both security feature bypass flaws. CVE-2024-21412 is an Internet Shortcut File issue that is rated important with a CVSS score of 8.1. The flaw can be exploited by sending a user a specially crafted file that bypasses Mark of the Web warnings in Windows and then tricking them into opening the file. No exploit code is thought to have been released but the bug is being exploited by at least one threat actor – DarkCasino (Water Hydra) – in a campaign that targets financial traders.
The other zero day flaw is a security feature bypass vulnerability in Windows SmartScreen. The flaw is tracked as CVE-2024-21351 and allows an attacker to bypass Windows SmartScreen security checks. The vulnerability is known to have been exploited in the wild, although it is only rated moderate severity with a CVSS score of 7.6 as user interaction is required to exploit the vulnerability. An attacker could exploit the flaw by sending a specially crafted file to a user and trick them into opening it. Microsoft has not disclosed any information about the threat actor or threat actors that are exploiting the flaw.
The five patched critical flaws include two that have a CVSS severity score of 9.8. The first is tracked as CVE-2024-21410 and is a Microsoft Exchange Server elevation of privilege vulnerability. Successful exploitation of the flaw would result in the disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash, which could be relayed back to a vulnerable Exchange Server in an NTLM relay or pass-the-hash attack, allowing the attacker to authenticate as the targeted user. The other 9.8 severity flaw is tracked as CVE-2024-21413 and is a Microsoft Outlook remote code execution vulnerability. An attacker could cause a file to open in editing mode as though the user had agreed to trust the file. The vulnerability requires no user interaction as the flaw could be exploited via the Outlook Preview Pane. Both of these flaws are likely to be exploited in attacks, although there have been no known cases at the time of the release of the patches.
The other flaws that Microsoft rates critical are a Microsoft Dynamics Business Central/NAV information disclosure vulnerability tracked as CVE-2024-21380 (CVSS 8.0); a Windows Hyper-V denial of service vulnerability tracked as CVE-2024-20684 (CVSS 6.5); and a Windows Pragmatic General Multicast (PGM) remote code execution vulnerability tracked as CVE-2024-21357 (CVSS 7.5).