Microsoft delivered a critical patch on February Patch Tuesday to address two zero-day vulnerabilities that affect Windows server and desktop systems. This month, Microsoft addressed 73 new vulnerabilities and provided updates for seven older bugs. Five of the vulnerabilities were deemed critical, including the two zero-day vulnerabilities that were actively exploited. In addition, a critical Exchange Server flaw and a critical Microsoft Outlook bug were fixed, as well as mitigations for an older Windows AppX installer spoofing vulnerability.
The first zero-day vulnerability, an Internet Shortcut Files security feature bypass (CVE-2024-21412), affects Windows desktop and server systems and has a CVSS score of 8.1. An attacker could send a malicious file to a user, who would have to open it to trigger the exploit, bypassing system security checks. The second zero-day vulnerability, a Windows SmartScreen security feature bypass (CVE-2024-21351), rated moderate with a 7.6 CVSS score, affects Windows server and desktop systems. To trigger the exploit, an attacker must convince a user to open a malicious file, circumventing SmartScreen protections in Microsoft Defender.
Chris Goettl, vice president of product management for security products at Ivanti, emphasized the severity of these vulnerabilities, stating that the assessments do not account for the real-world attacks that occurred before the security updates were released.
In addition to the zero-day vulnerabilities, a critical patch was released for an elevation-of-privilege vulnerability (CVE-2024-21410) for Exchange Server 2016 and Exchange 2019 systems. This vulnerability has a high exploitability rating, and if exploited, it can give an attacker system-level privileges. Microsoft released a cumulative update for Exchange 2019 to address this vulnerability, while Exchange 2016 will not receive a cumulative update.
Furthermore, Microsoft reissued a critical Windows AppX installer spoofing vulnerability (CVE-2021-43890) that was first published on Patch Tuesday in December 2021. This vulnerability allows an attacker to add malware to an attachment and convince the user to open it, thereby evading security measures and executing code on the system. Microsoft has issued several informational updates for this vulnerability, providing additional information to protect Windows systems.
Other critical security updates include a Microsoft Outlook remote-code execution vulnerability, a Windows Pragmatic General Multicast remote-code execution vulnerability, and a Windows Hyper-V DoS vulnerability. These updates address critical vulnerabilities that could be exploited to gain unauthorized access and disrupt the capabilities of affected systems.
In conclusion, organizations that manage Windows systems should expedite the installation of the February Patch Tuesday updates to mitigate the risk of exploitation from the identified vulnerabilities. The importance of addressing these critical vulnerabilities should not be understated, as they could have significant implications for system security and data integrity. With the threat landscape constantly evolving, staying proactive in deploying security patches and updates is essential to safeguarding organizational assets and maintaining a secure computing environment.