Microsoft Corp. released software updates on Tuesday to fix over 70 security holes in its Windows operating systems and related products. Included in these patches are fixes for two zero-day vulnerabilities that have been actively exploited.
One of the zero-day flaws, identified as CVE-2024-21412, is classified as a “security feature bypass” in the way Windows handles Internet Shortcut Files. This bug has been targeted in active exploits, and attackers would need to trick a user into opening a malicious shortcut file. The ongoing exploitation of CVE-2024-21412 has been linked to an advanced persistent threat group known as “Water Hydra,” which exploits the vulnerability to unload a remote access trojan (RAT) onto infected Windows systems.
The second zero-day flaw, known as CVE-2024-21351, is another security feature bypass in the Windows SmartScreen component, which screens out potentially malicious files downloaded from the Web. This vulnerability alone is not enough for an attacker to compromise a user’s workstation. However, it could be used in conjunction with a spear phishing attack to deliver a malicious file.
According to Satnam Narang, senior staff research engineer at Tenable, the zero-day vulnerability related to Microsoft Exchange Server, known as CVE-2024-21410, can be leveraged to disclose sensitive information like NTLM hashes, which could be utilized in an NTLM relay or “pass the hash” attack. It is important to note that attackers could potentially carry out these types of attacks if the Exchange Server 2019 Cumulative Update 14 (CU14) does not enable Extended Protection for Authentication (EPA) by default.
Another critical remote code execution bug, CVE-2024-21413, was also highlighted by Rapid7’s lead software engineer, Adam Barnett. This vulnerability affects Microsoft Office and could be exploited by just viewing a specially-crafted message in the Outlook Preview pane.
With this latest wave of patches, Microsoft hopes to address the increasing trend of zero-day vulnerabilities being exploited in the wild. However, Microsoft Office 2016 administrators who apply patches outside of Microsoft Update should take note of the various patches that must be installed to achieve remediation of CVE-2024-21413.
It’s essential for Windows end-users to stay current with the latest security updates from Microsoft. It’s generally a good idea to update within a few days of Patch Tuesday to allow time for Microsoft to fix any issues with its patches. Additionally, keeping an eye on websites like Askwoody.com can provide valuable information about potential problems with specific Microsoft updates.
For a more detailed breakdown of the individual flaws addressed by Microsoft in the recent update, you can refer to the SANS Internet Storm Center’s list. These updates are critical to ensuring the security and integrity of Windows operating systems and should be implemented as soon as possible.