Microsoft has released patch to deal with 73 security flaws involving its range of software as part of the February 2024 Patch Tuesday updates, including two zero-days that were actively exploited.
Of the 73 vulnerabilities, 5 are rated as critical, 65 are rated as important, and three are rated as moderate in severity and this adds to the 24 fouls which have been fixed in the Chromium-based Edge browser since the release of Patch Tuesday updates on January 24.
What problems does Microsoft solve?
The two flaws listed as under active attack at the time of release They are the following:
- CVE-2024-21351 (CVSS score: 7.6) – Security feature bypass vulnerability Windows SmartScreen
- CVE-2024-21412 (CVSS score: 8.1) – File security feature bypass vulnerability Internet Shortcuts
“The vulnerability allows a malicious attacker to inject code into SmartScreen and potentially get code execution, which could lead to some data exposure, lack of system availability, or both“, Microsoft said regarding CVE-2024-21351.
Successful exploitation of the flaw could allow an attacker to bypass SmartScreen protections and execute arbitrary code; however, for the attack to work, the cybercriminal must send the user a malicious file and convince them to open it.
CVE-2024-21412, similarly, allows an unauthenticated attacker to bypass displayed security controls by sending a specially crafted file to a targeted user.
“However, the attacker would have no way to force a user to view the attacker-controlled content“, Redmond announced. “Instead, the attacker would have to convince them to take action by clicking on the file link“.
CVE-2024-21351 is the second bypass vulnerability discovered in SmartScreen after CVE-2023-36025 (CVSS score: 8.8), which was corrected by the tech giant in November 2023; the flaw was subsequently exploited by several hacking groups to spread DarkGate, Phemedrone Stealer and Mispadu.
Trend Micro, which detailed an attack campaign conducted by Water Hydra (also known as DarkCasino) targeting financial market participants via a sophisticated zero-day attack chain leveraging CVE-2024-21412, described CVE-2024-21412 as a bypass for CVE-2023-36025, thus allowing cybercriminals to evade SmartScreen controls.
Water Hydra, first spotted in 2021, has a “habit” of launching attacks against banks, cryptocurrency platforms, trading services, gambling sites and casinos to deliver a trojan called DarkMe using zero-day exploits, including the WinRAR flaw that surfaced in August 2023 (CVE-2023-38831CVSS score: 7.8).
Late last year, Chinese cybersecurity firm NSFOCUS promoted the “economically motivated” hacking group to a completely new Advanced Persistent Threat (APT).
“In January 2024, Water Hydra updated its infection chain by leveraging CVE-2024-21412 to execute a malicious Microsoft Installer (.MSI) filesimplifying the DarkMe infection process“, has said Trend Micro.
Both vulnerabilities they were later added to the vulnerability catalog known exploited (KEV) from the United States Cybersecurity and Infrastructure Security Agency (CISA), which urges federal agencies to apply the latest updates by March 5, 2024.
Microsoft also has Fixed five critical flaws:
- CVE-2024-20684 (CVSS score: 6.5) – Denial of service vulnerability of Windows Hyper-V
- CVE-2024-21357 (CVSS score: 7.5) – Remote code execution vulnerability Windows Pragmatic General Multicast (PGM)
- CVE-2024-21380 (CVSS score: 8.0) – Information disclosure vulnerability of Microsoft Dynamics Business Central/NAV
- CVE-2024-21410 (CVSS score: 9.8) – Elevation vulnerability Microsoft Exchange Server
- CVE-2024-21413 (CVSS score: 9.8) – Remote code execution vulnerability Microsoft Outlook
“CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server“said Satnam Narang, senior research engineer at Tenable. “According to Microsoft, this flaw is more likely to be exploited by attackers“.
“Use of this vulnerability could result in disclosure of a targeted user's NTLM version 2 hash, which could be transmitted to a vulnerable Exchange server in an NTLM relay or pass-the-hash attack, allowing the attacker to authenticate as the targeted user“.
The security update also resolves 15 remote code execution flaws in the Microsoft WDAC OLE DB provider for SQL Server, which an attacker could exploit by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB.
Rounding out the package is a fix for CVE-2023-50387 (CVSS score: 7.5), a 24-year-old design flaw in the DNSSEC specification that can be abused to exhaust CPU resources and block DNS resolvers, causing a denial of service (DoS).
The vulnerability was named KeyTrap by the National Research Center for Applied Cybersecurity (ATHENE) from Darmstadt.
“[I ricercatori] have shown that with a single DNS packet the attack can exhaust the CPU and crash all widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare“said ATHENE. “Effectively, the popular BIND 9 DNS implementation can be blocked for up to 16 hours“.
Software patches from other vendors
In addition to Microsoft, Security updates from other vendors have also been released in recent weeks to fix several vulnerabilitiesamong which:
#Microsoft #fixes #issues #Patch #Tuesday
