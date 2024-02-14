



Microsoft's Patch Tuesday security update for February includes fixes for two actively attacked zero-day security vulnerabilities, as well as 71 other flaws across a wide range of the company's products. Masu.

A total of 5 vulnerabilities for which Microsoft issued patches in February were rated critical, 66 were rated important, and 2 were rated moderate.

The update includes patches for Microsoft Office, Windows, Microsoft Exchange Server, the company's Chromium-based Edge browser, Azure Active Directory, Microsoft Defender for Endpoint, and Skype for business. Tenable identified 30 of the 73 CVEs as remote code execution (RCE) vulnerabilities. 16 Allow privilege escalation. 10 are related to spoofing errors. Nine are listed as enabling distributed denial of service attacks. Five flaws in information disclosure. Three are security bypass issues.

Water Hydra exploits zero-day to target financial traders

An attacker called Water Hydra (also known as Dark Casino) is currently targeting organizations in the financial industry with a malicious campaign that exploits the Internet Shortcuts File Security Feature Bypass Vulnerability, tracked as CVE-2024-21412 (CVSS 8.1) exploiting one of the zero-day vulnerabilities. .

Several Trend Micro researchers who discovered and reported this flaw to Microsoft believe that the flaw is related to bypassing a previously patched SmartScreen vulnerability (CVE-2023-36025, CVSS 8.8). and that it affects all supported Windows versions. The Water Hydra attacker uses her CVE-2024-21412 to gain initial access to systems belonging to a financial trader, where he uses DarkMe remote access to drop the Trojan.

To exploit this vulnerability, an attacker must first distribute a malicious file to a target user and convince them to open the file, Saeed Abbasi, manager of vulnerability research at Qualys, said in an email. I mentioned it in a comment. “The impact of this vulnerability is severe, compromising security and undermining confidence in protection mechanisms like SmartScreen,” Abbasi said.

SmartScreen Bypass Zero Day

Another zero-day that Microsoft revealed in this month's security update affects Defender SmartScreen. According to Microsoft, CVE-2024-21351 is a moderate severity bug that could allow an attacker to bypass SmartScreen protections and inject code and gain remote code execution capabilities. Microsoft says a successful exploit could result in limited data disclosure, system availability issues, or both. Details about exactly who is exploiting this bug and for what purpose are unclear.

Mike Walters, president and co-founder of Action1, said in a prepared comment for Dark Reading that the vulnerability is due to Microsoft's Mark of the Web (a feature that identifies untrusted content from the Internet) being used with the SmartScreen feature. I said it has to do with how we interact. “This vulnerability requires an attacker to distribute a malicious file to a user and convince them to open the file. This could allow the user to bypass SmartScreen checks and compromise the security of the system. “There's a gender,” Walters said.

high priority bugs

Of the five critical vulnerabilities included in the February update, CVE-2024-21410 is the priority for attention. CVE-2024-21410 is an elevation of privilege vulnerability in Exchange Server that is a favorite target of attackers. An attacker could exploit this bug to expose a targeted user's Net-New Technology LAN Manager (NTLM) version 2 hash and relay those credentials to an affected Exchange Server to authenticate as the user. there is.

Satnam Narang, a senior staff research engineer at Tenable, said in a statement that such flaws, which leak sensitive information such as NTLM hashes, could be extremely valuable to attackers. “A Russian-based attacker leveraged a similar vulnerability to carry out the attack. CVE-2023-23397 is an elevation of privilege vulnerability in Microsoft Outlook that was patched in March 2023,” he said. ”.

According to Trend Micro, to fix this flaw, Exchange administrators must install the Exchange Server 2019 Cumulative Update 14 (CU14) update and ensure that the Extended Protection for Authentication (EPA) feature is enabled. It is said that there is. The security vendor pointed to an article published by Microsoft that provides additional information on how to patch the vulnerability.

Microsoft has assigned CVE-2024-21410 a maximum severity rating of 9.1 out of 10, which is a critical vulnerability. But privilege escalation vulnerabilities typically tend to score relatively low on his CVSS vulnerability rating scale, which misunderstands the nature of the threat they pose, says the senior director of threat research at Immersive Labs. says Kev Breen. “Despite the low score, [privilege escalation] “Vulnerabilities are extremely popular by threat actors and are exploited in nearly every cyber incident,” Breen said in a statement. They will try to promote him.” Send it to your local or domain administrator. ”

Action1's Walters highlighted CVE-2024-21413, an RCE flaw in Microsoft Outlook, as a vulnerability that administrators should prioritize starting with the February batch. With a maximum severity score close to 9.8, this flaw has low attack complexity, no user interaction, and no special privileges required for an attacker to exploit it. “An attacker could exploit this vulnerability via the Outlook preview pane to bypass Office Protected View and force a file to open in Edit mode instead of the more secure Protected Mode,” Walters said. says.

Microsoft itself has identified this vulnerability as one that attackers are unlikely to exploit. Nevertheless, Walters said the vulnerability poses a significant threat to organizations and requires immediate action.

