Microsoft Patches Two Zero Day Holes for February

Microsoft's February patch arrived on Tuesday with fixes for two zero-day vulnerabilities and an additional 70 flaws.

The first of the zero-day issues is a security bypass flaw in how Windows interacts with Internet shortcut files (CVE-2024-21412). According to Microsoft, this problem, which has already been seen exploited in the wild, could allow an attacker to bypass usual security checks and warnings to send a malicious file directly to a target.

Mike Walters, President and co-founder of security firm Action1, breaks down how an attack exploiting this hole would look like: "In the exploitation scenario, an attacker must send a specifically crafted file to a target user and persuade them to open it, since the attacker cannot compel the user to engage with the malicious content directly. Despite the vulnerability not being publicly disclosed, it has been found to be exploitable. It is crucial  for organizations to implement the official patches and updates released by Microsoft to address this vulnerability effectively."

It's important to note that due to multiple security researchers from Aura Information Security, Google and Trend Micro all discovering this flaw in a short window, it is very likely that more active exploits will pop up as attackers begin to do their own research on what appears to be an easily verified flaw.

February's second zero-day is another security bypass issue, this time in Windows SmartScreen – Microsoft's cloud-based malware and phishing detection tool.  CVE-2024-21351 looks to plug an issue that, according to Microsoft, could allow "a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability or both."

As observed in the wild, the injected code bypasses the zone identifier feature Mark of the Web, which is attached to all downloaded Internet files. Based on the location of the file, SmartScreen would typically run a reputation check on a file, especially if its origins are from a flagged region. If deemed malicious, the file would not be downloaded. However, with the injected code, this security guardrail would be removed, and a file would not be flagged before a user could download it.

As with the first zero-day flaw, while there have been attacks taking advantage of this issue, details of the problem have not been publicly disclosed. However, the number of active attacks is expected to grow as discovery rises.

Once the two zero-day flaws for the month have been patched, IT's focus should be on February's six "critical" items:

  • CVE-2023-36019: Spoofing vulnerability in Microsoft's Power Platform. (This updates a December 2023 bulletin with a permanent fix.)
  • CVE-2024-21357: Remote code execution vulnerability in Windows Pragmatic General Multicast (PGM).
  • CVE-2024-21413: Remote code execution vulnerability in Microsoft Outlook.
  • CVE-2024-20684: Denial of service vulnerability in Windows Hyper-V.
  • CVE-2024-21410: Elevation of privilege vulnerability in Microsoft Exchange Server.
  • CVE-2024-21380: Information disclosure vulnerability in Microsoft Dynamics Business Central/NAV.

The full list of this month's bulletins can be found here.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube