Microsoft’s Patch Tuesday security update scheduled for February includes fixes for two zero-day security vulnerabilities under active attack, as well as 71 other flaws across a broad range of products.
In total, five of the vulnerabilities for which Microsoft released a February patch were rated as critical, 66 as important, and two as moderate.
THE the update includes patches for Microsoft Office, Windows, Microsoft Exchange Server, the company’s Chromium-based Edge browser, Azure Active Directory, Microsoft Defender for Endpoint, and Skype for Business. Tenable identified 30 of the 73 CVEs as remote code execution (RCE) vulnerabilities; 16 as enabling privilege escalation; 10 related to spoofing errors; nine because they allow distributed denial-of-service attacks; five as defects in information disclosure; and three as security bypass issues.
Waterfall Hydra exploits zero-days by targeting financial operators
A threat actor nicknamed Water Hydra (aka Dark Casino) is currently exploiting one of the zero-day vulnerabilities: a The Internet Link File Security feature bypasses the vulnerability traced as CVE-2024-21412 (CVSS 8.1) — in a malicious campaign targeting financial sector organizations.
Trend Micro researchers, among many who discovered and reported the flaw to Microsoft, described it as related to the bypass of a previously patched SmartScreen vulnerability (CVE-2023-36025, CVSS 8.8) and affects all supported versions of Windows. Water Hydra authors use CVE-2024-21412 to gain initial access to systems belonging to financial traders and place the DarkMe remote access trojan on them.
To exploit the vulnerability, an attacker would first have to deliver a malicious file to a targeted user and convince them to open it, Saeed Abbasi, lead vulnerability researcher at Qualys, said in an email comment. “The impact of this vulnerability is profound, compromising security and undermining trust in protection mechanisms like SmartScreen,” Abbasi said.
SmartScreen bypasses Zero-Day
The other zero-day revealed by Microsoft in this month’s security update concerns Defender SmartScreen. According to Microsoft, CVE-2024-21351 is a medium-severity bug that allows an attacker to bypass SmartScreen protections and inject code into them to potentially gain remote code execution capabilities. A successful exploit could lead to limited data exposure, system availability issues, or both, Microsoft said. No details are available on who exactly might be exploiting the bug and for what purpose.
In comments prepared for Dark Reading, Mike Walters, president and co-founder of Action1, said the vulnerability is related to how Microsoft’s Mark of the Web (a feature for identifying untrusted content from the Internet) interacts with the SmartScreen. “For this vulnerability, an attacker must distribute a malicious file to a user and convince them to open it, allowing them to bypass SmartScreen controls and potentially compromise system security,” Walters said.
High priority bug
Among the five critical vulnerabilities in the February update, the one that requires priority attention is CVE-2024-21410, a privilege escalation vulnerability in Exchange Server, a favorite target for attackers. An attacker could use the bug to reveal the Net-New Technology LAN Manager (NTLM) version 2 hash of a targeted user, then forward that credential to an affected Exchange Server and authenticate to it as the user.
Flaws like this that reveal sensitive information like NTLM hashes can be very valuable to attackers, Satnam Narang, senior research engineer at Tenable, said in a statement. “A hacker based in Russia exploited a similar vulnerability to launch attacks: CVE-2023-23397 is an elevation of privilege vulnerability in Microsoft Outlook patched in March 2023,” it said.
To fix the flaw, Exchange administrators will need to ensure that they have Exchange Server 2019 Cumulative Update 14 (CU14) installed and ensure that the Extended Protection for Authentication (EPA) feature is enabled, Trend Micro said. The security salesman pointed to a article that Microsoft published which provides additional information on how to patch the vulnerability.
Microsoft has given CVE-2024-21410 a maximum severity score of 9.1 out of 10, making it a critical vulnerability. But privilege escalation vulnerabilities typically tend to score relatively low on the CVSS Vulnerability Rating Scale, which belies the true nature of the threat they pose, said Kev Breen, senior director of threat research at Immersive Labs. “Despite the low score, [privilege escalation] “The vulnerabilities are highly sought after by threat actors and used in nearly every cyber incident,” Breen said in a statement. “Once an attacker gains access to a user account through social engineering or some other attack, they will try to escalate their permissions to either the local administrator or the domain administrator.”
Walters of Action1 highlighted CVE-2024-21413, an RCE flaw in Microsoft Outlook as a vulnerability that administrators may want to prioritize from the February batch. The critical severity flaw, with a near-maximum severity score of 9.8, results in low attack complexity, no user interaction, and no special privileges required for an attacker to exploit it. “An attacker could exploit this vulnerability via the Outlook Preview Pane, allowing them to bypass Office Protected View and force files to open in Edit Mode, rather than the more secure Protected Mode,” Walters said.
Microsoft itself has identified the vulnerability as something that attackers are less likely to attack. However, Walters said the vulnerability poses a substantial threat to organizations and requires timely attention.