Microsoft released its February Patch Tuesday security updates this week, addressing a total of 73 vulnerabilities, including two zero-day vulnerabilities exploited by active attack campaigns.
Among the zero-day vulnerabilities, CVE-2024-21412 affects the security features of Internet Shortcut files. Attackers can send malicious files, enticing targeted users to click on links, download, or open files, bypassing the usual Windows warning prompts. Microsoft noted that attackers cannot force users to read the content of the file, resulting in a risk rating of 8.1 for this vulnerability.
This vulnerability was reported by Peter Girnus of Trend Micro’s Zero Day Initiative, who discovered that the nation-state hacking group DarkCasino (Water Hydra) exploited this flaw to target financial transaction platforms, implanting the DarkMe RAT Trojan in users’ devices.
The second zero-day vulnerability, CVE-2024-21351, impacts the security features of Windows SmartScreen. This feature adds a Mark of the Web identifier to files such as Word, Excel, or PowerPoint when users attempt to download them from the internet. When users open the file, Windows SmartScreen checks if the MotW identifier indicates that the file comes from the internet, performing a reputation check. Exploiting this flaw allows files to bypass checks and execute remote code, resulting in a risk rating of 7.6. The identity of the abusers of this vulnerability is unknown.
Out of the vulnerabilities patched this month, five are considered high-risk. CVE-2024-21413, affecting Outlook, utilizes the preview pane as an attack vector, allowing attackers to send files that bypass “protected view” and open in editing mode. This vulnerability does not require user interaction for exploitation, leading to a risk rating of 9.8.
CVE-2024-21410 is a privilege escalation vulnerability affecting Exchange Server, with a risk rating of 9.8. Attackers can leverage previously obtained NTLM credentials to perform NTLM relay attacks, gaining access to the victim’s Exchange Server and infiltrating corporate network environments.
Additionally, security firm Rapid7 highlighted CVE-2024-21357, a remote code execution vulnerability affecting Windows Pragmatic General Multicast (PGM). While Microsoft believes the attack is limited to the same network segment and cannot execute cross-segment (WAN) attacks, assigning a risk rating of 7.5, it is considered significant in their internal risk assessment. Notably, Microsoft even released updates for the unsupported Windows Server 2008 to address this vulnerability.