Microsoft's scheduled Patch Tuesday security update for February includes fixes for two zero-day security vulnerabilities under active attack, plus 71 other flaws across a wide range of its products.
In all, five of the vulnerabilities for which Microsoft issued a February patch were rated as critical, 66 as important, and two as moderate.
The update includes patches for Microsoft Office, Windows, Microsoft Exchange Server, the company's Chromium-based Edge browser, Azure Active Directory, Microsoft Defender for Endpoint, and Skype for business.
Tenable identified 30 of the 73 CVEs as remote code execution vulnerabilities; 16 as enabling privilege escalation; 10 as tied to spoofing errors; nine as enabling distributed denial-of-service attacks; five as information disclosure flaws; and three as security bypass issues.
Water Hydra Exploits Zero-Days Targeting Financial Traders A threat actor dubbed as Water Hydra is currently leveraging one of the zero-day vulnerabilities - an Internet Shortcut Files security feature bypass vulnerability tracked as CVE-2024-21412 - in a malicious campaign targeting organizations in the financial sector.
Researchers at Trend Micro - among several who discovered and reported the flaw to Microsoft - described it as tied to a bypass of a previously patched SmartScreen vulnerability and affecting all supported Windows versions.
To exploit the vulnerability, an attacker would first need to deliver a malicious file to a targeted user and get them to open it, said Saeed Abbasi, manager of vulnerability researcher at Qualys, in emailed commentary.
SmartScreen Bypass Zero-Day The other zero-day that Microsoft disclosed in this month's security update affects Defender SmartScreen.
According to Microsoft, CVE-2024-21351 is a medium-severity bug that allows an attacker to bypass SmartScreen protections and inject code into it to potentially gain remote code execution capabilities.
A successful exploit could lead to limited data exposure, systems availability issues, or both, Microsoft said.
In prepared comments for Dark Reading, Mike Walters, president and co-founder of Action1, said the vulnerability is tied to the manner in which Microsoft's Mark of the Web interacts with the SmartScreen feature.
High-Priority Bugs Among the five critical vulnerabilities in the February update, the one that requires priority attention is CVE-2024-21410, a privilege escalation vulnerability in Exchange Server, a favorite target for attackers.
An attacker could use the bug to disclose a targeted user's Net-New Technology LAN Manager version 2 hash and then relay that credential against an affected Exchange Server and authenticate to it as the user.
The security vendor pointed to an article that Microsoft has published that provides additional information on how to patch the vulnerability.
Microsoft has assigned CVE-2024-21410 a maximum severity rating of 9.1 out of 10, which makes it a critical vulnerability.
Typically privilege escalation vulnerabilities tend to score relatively low on the CVSS vulnerability rating scale which belies the true nature of the threat they present, said Kev Breen, senior director of threat research at Immersive Labs.
Walters from Action1 highlighted CVE-2024-21413, an RCE flaw in Microsoft Outlook as a vulnerability that administrators might want to prioritize from February's batch.
The critical severity flaw with a near maximum severity score of 9.8 involves low attack complexity, no user interaction, and no special privileges required for an attacker to exploit it.
Microsoft itself identified the vulnerability as something that attackers are less likely to attack.
Walters said the vulnerability poses a substantial threat for organizations and requires prompt attention.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 13 Feb 2024 22:35:07 +0000