Microsoft is rolling out patches for 73 bugs, including 2 Windows Zero-Days

Windows Zero-Days

Microsoft has released patches to address this issue 73 security flaws spread across the software family as part of the February 2024 Patch Tuesday updates, including two zero-days that are actively exploited.

Of the 73 vulnerabilities, 5 are rated as critical, 65 as important and three as moderate in severity. This is in addition to 24 defects that have been fixed in the Chromium-based Edge browser since the release of the January 24 Patch Tuesday updates.

Below are the two flaws under active attack at the time of release:

  • CVE-2024-21351 (CVSS score: 7.6) – Windows SmartScreen security feature bypasses vulnerability
  • CVE-2024-21412 (CVSS score: 8.1) – Internet shortcut security feature bypasses vulnerability

“The vulnerability allows a malicious actor to inject code into the computer SmartScreen and possibly gain code execution, potentially leading to some data exposure, lack of system availability, or both,” Microsoft said of CVE-2024-21351.

Successful exploitation of the flaw could allow an attacker to bypass SmartScreen protections and execute arbitrary code. However, for the attack to work, the threat actor must send the user a malicious file and convince the user to open it.

CVE-2024-21412 similarly allows an unauthenticated attacker to bypass the listed security controls by sending a specially crafted file to a targeted user.

“However, the attacker would have no way to force a user to view the attacker-controlled content.” Redmond noted. “Instead, the attacker would have to convince them to take action by clicking the file link.”

CVE-2024-21351 is the second bypass bug discovered in SmartScreen, after CVE-2023-36025 (CVSS score: 8.8), which was patched by the tech giant in November 2023. The flaw has since been exploited by multiple hacking groups to multiply DarkGate, Phemedrone Stealer and Mispadu.

Trend Micro, which described an attack campaign undertaken by Water Hydra (aka DarkCasino) targeting financial market traders using an advanced zero-day attack chain leveraging CVE-2024-21412, described CVE-2024-21412 as a bypass for CVE-2023. -36025, which allows threat actors to bypass SmartScreen controls.

First discovered in 2021, Water Hydra has a track record of launching attacks on banks, cryptocurrency platforms, trading services, gambling sites and casinos to deliver a Trojan called DarkMe using zero-day exploits, including the WinRAR bug exposed in 2021. August 2023 (CVE-2023-38831, CVSS score: 7.8).

Late last year, Chinese cybersecurity firm NSFOCUS graduated the “economically motivated” hacking group to a brand new Advanced Persistent Threat (APT).

“In January 2024, Water Hydra updated its infection chain by leveraging CVE-2024-21412 to execute a malicious Microsoft Installer File (.MSI), streamlining the DarkMe infection process,” Trend Micro said. said.

Both vulnerabilities have since disappeared added to the known exploited vulnerabilities (KEV) catalog from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging federal agencies to apply the latest updates by March 5, 2024.

Also patched by Microsoft are five critical flaws:

  • CVE-2024-20684 (CVSS Score: 6.5) – Vulnerability in Windows Hyper-V Denial of Service
  • CVE-2024-21357 (CVSS Score: 7.5) – Remote Code Execution Vulnerability in Windows Pragmatic General Multicast (PGM)
  • CVE-2024-21380 (CVSS Score: 8.0) – Information Disclosure Vulnerability in Microsoft Dynamics Business Central/NAV
  • CVE-2024-21410 (CVSS Score: 9.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2024-21413 (CVSS Score: 9.8) – Remote Code Execution Vulnerability in Microsoft Outlook

“CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server,” Satnam Narang, senior research engineer at Tenable, said in a statement. “According to Microsoft, this flaw is more likely to be exploited by attackers.”

“Exploiting this vulnerability could result in disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) version 2 hash, which could be sent back to a vulnerable Exchange Server in an NTLM relay or pass-through the-hash attack, which could allow the attacker to identify himself as the target user.”

The security update also resolves 15 remote code execution flaws in the Microsoft WDAC OLE DB provider for SQL Server, which an attacker could exploit by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB.

Completing the patch is a solution for this CVE-2023-50387 (CVSS score: 7.5), a 24-year-old design flaw in the DNSSEC specification that can be exploited to exhaust CPU resources and block DNS resolvers, resulting in a denial-of-service (DoS) .

The vulnerability has been codenamed KeyTrap by the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt.

“They showed that the attack with just a single DNS packet can exhaust the CPU and block all commonly used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare,” the researchers said. said. ‘Actually the popular one BIND 9 DNS implementation can be shut down for up to 4 hours.”

Software patches from other suppliers

In addition to Microsoft, security updates have also been released by other vendors since the beginning of the month to address various vulnerabilities, including:

#Microsoft #rolling #patches #bugs #including #Windows #ZeroDays

Notify of
Inline Feedbacks
View all comments
Previous Post
Microsoft SmartScreen Zero-Day Vulnerability

DarkMe malware targets merchants using Microsoft SmartScreen Zero-Day vulnerability

Next Post

PikaBot reemerges with streamlined code and deceptive tactics

Related Posts