Microsoft has introduced patches to address 73 security flaws spanning its software package lineup as section of its Patch Tuesday updates for February 2024, such as two zero-times that have appear less than energetic exploitation.
Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and a few and rated Average in severity. This is in addition to 24 flaws that have been mounted in the Chromium-dependent Edge browser considering the fact that the launch of the January 24 Patch Tuesday updates.
The two flaws that are stated as below active attack at the time of launch are under –
- CVE-2024-21351 (CVSS score: 7.6) – Windows SmartScreen Security Function Bypass Vulnerability
- CVE-2024-21412 (CVSS rating: 8.1) – Internet Shortcut Information Security Element Bypass Vulnerability
“The vulnerability will allow a destructive actor to inject code into SmartScreen and most likely get code execution, which could likely direct to some details exposure, lack of procedure availability, or both,” Microsoft reported about CVE-2024-21351.
Successful exploitation of the flaw could allow an attacker to circumvent SmartScreen protections and run arbitrary code. On the other hand, for the attack to work, the menace actor should send out the person a destructive file and persuade the person to open up it.
CVE-2024-21412, in a very similar way, permits an unauthenticated attacker to bypass shown security checks by sending a specially crafted file to a qualified person.
“However, the attacker would have no way to power a user to view the attacker-managed content.” Redmond observed. “Alternatively, the attacker would have to convince them to acquire action by clicking on the file website link.”
CVE-2024-21351 is the next bypass bug to be discovered in SmartScreen following CVE-2023-36025 (CVSS score: 8.8), which was plugged by the tech big in November 2023. The flaw has considering that been exploited by numerous hacking teams to proliferate DarkGate, Phemedrone Stealer, and Mispadu.
Craze Micro, which detailed an attack campaign undertaken by Water Hydra (aka DarkCasino) focusing on money marketplace traders by usually means of a refined zero-day attack chain leveraging CVE-2024-21412, described CVE-2024-21412 as a bypass for CVE-2023-36025, thereby enabling risk actors to evade SmartScreen checks.
H2o Hydra, 1st detected in 2021, has a observe record of launching attacks versus banking companies, cryptocurrency platforms, buying and selling expert services, gambling web pages, and casinos to supply a trojan termed DarkMe making use of zero-day exploits, which includes the WinRAR flaw that came to light-weight in August 2023 (CVE-2023-38831, CVSS rating: 7.8).
Late previous 12 months, Chinese cybersecurity firm NSFOCUS graduated the “economically motivated” hacking team to an completely new sophisticated persistent risk (APT).
“In January 2024, Drinking water Hydra updated its infection chain exploiting CVE-2024-21412 to execute a destructive Microsoft Installer File (.MSI), streamlining the DarkMe an infection method,” Trend Micro said.
Both vulnerabilities have since been additional to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging federal organizations to implement the newest updates by March 5, 2024.
Also patched by Microsoft are 5 critical flaws –
- CVE-2024-20684 (CVSS score: 6.5) – Windows Hyper-V Denial of Company Vulnerability
- CVE-2024-21357 (CVSS score: 7.5) – Windows Pragmatic Basic Multicast (PGM) Remote Code Execution Vulnerability
- CVE-2024-21380 (CVSS rating: 8.) – Microsoft Dynamics Company Central/NAV Information Disclosure Vulnerability
- CVE-2024-21410 (CVSS rating: 9.8) – Microsoft Trade Server Elevation of Privilege Vulnerability
- CVE-2024-21413 (CVSS rating: 9.8) – Microsoft Outlook Distant Code Execution Vulnerability
“CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server,” Satnam Narang, senior workers analysis engineer at Tenable, said in a assertion. “This flaw is much more most likely to be exploited by attackers in accordance to Microsoft.”
“Exploiting this vulnerability could consequence in the disclosure of a targeted user’s Net-New Technology LAN Manager (NTLM) variation 2 hash, which could be relayed back again to a susceptible Trade Server in an NTLM relay or move-the-hash attack, which would allow the attacker to authenticate as the qualified consumer.”
The security update even more resolves 15 remote code execution flaws in Microsoft WDAC OLE DB provider for SQL Server that an attacker could exploit by tricking an authenticated consumer into trying to join to a malicious SQL server via OLEDB.
Rounding off the patch is a resolve for CVE-2023-50387 (CVSS rating: 7.5), a 24-12 months-outdated design and style flaw in the DNSSEC specification that can be abused to exhaust CPU sources and stall DNS resolvers, ensuing in a denial-of-provider (DoS).
The vulnerability has been codenamed KeyTrap by the Countrywide Investigation Heart for Applied Cybersecurity (ATHENE) in Darmstadt.
“They shown that just with a single DNS packet the attack can exhaust the CPU and stall all broadly made use of DNS implementations and general public DNS companies, these kinds of as Google General public DNS and Cloudflare,” the scientists said. “In truth, the well-known BIND 9 DNS implementation can be stalled for as long as 16 hours.”
Application Patches from Other Sellers
In addition to Microsoft, security updates have also been launched by other sellers due to the fact the begin of the thirty day period to rectify many vulnerabilities, including —
- Adobe
- AMD
- Android
- Arm
- ASUS
- Atos
- Canon
- Cisco
- Dell
- Drupal
- ExpressVPN
- F5
- Fortinet
- GitLab
- Google Chrome
- Google Cloud
- Hitachi Energy
- HP
- IBM
- Intel
- ISC BIND 9
- Ivanti
- JetBrains TeamCity
- Juniper Networks
- Lenovo
- Linux distributions Debian, Oracle Linux, Purple Hat, SUSE, and Ubuntu
- Mastodon
- MediaTek
- Mitsubishi Electric
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NVIDIA
- PowerDNS
- QNAP (much more details about CVE-2023-47218 and CVE-2023-50358)
- Qualcomm
- Rockwell Automation
- Samsung
- SAP
- Schneider Electric
- Siemens
- SolarWinds
- SonicWall
- Spring Framework
- Synology
- Veeam
- Veritas
- VMware
- WordPress
- Zoom, and
- Zyxel
Found this short article attention-grabbing? Stick to us on Twitter and LinkedIn to read much more unique content we write-up.
Some parts of this article are sourced from:
thehackernews.com