Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Redmond's advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
The other zero-day flaw is CVE-2024-21351, another security feature bypass - this one in the built-in Windows SmartScreen component that tries to screen out potentially malicious files downloaded from the Web.
Kevin Breen at Immersive Labs says it's important to note that this vulnerability alone is not enough for an attacker to compromise a user's workstation, and instead would likely be used in conjunction with something like a spear phishing attack that delivers a malicious file.
Satnam Narang, senior staff research engineer at Tenable, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days.
Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14, a security feature called Extended Protection for Authentication, which provides NTLM credential relay protections, was not enabled by default.
Rapid7's lead software engineer Adam Barnett highlighted CVE-2024-21413, a critical remote code execution bug in Microsoft Office that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.
Barnett stressed that administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update knowledge base articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.
It's a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise.
That doesn't mean you have to install them on Patch Tuesday.
Waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches.
It's also smart to back up your data and/or image your Windows drive before applying new updates.
For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center's list.
For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.
This Cyber News was published on krebsonsecurity.com. Publication date: Tue, 13 Feb 2024 22:35:08 +0000