Breaking Down the Latest February 2024 Patch Tuesday Report

Microsoft has released its February Patch Tuesday security updates, addressing 73 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This includes fixes for two zero-day vulnerabilities that are being actively exploited in the wild.

The two zero-days are a Windows SmartScreen bypass (CVE-2024-21351) and an Internet Shortcut files bypass (CVE-2024-21412). Both allow attackers to evade security warnings and potentially execute malicious code.

Other critical flaws include a remote code execution bug in Exchange Server (CVE-2024-21410) and Outlook (CVE-2024-21413), an information disclosure issue in Dynamics Business Central (CVE-2024-21380), and denial of service bugs in Windows Hyper-V (CVE-2024-20684) and Windows PGM (CVE-2024-21357).

In total, Microsoft addressed 5 critical vulnerabilities and 68 important ones. The most common issues are remote code execution (31 bugs), elevation of privilege (16 bugs), and spoofing (10 bugs).

Key products receiving security updates include Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, and Microsoft Edge. Administrators should prioritize testing and deploying patches for the actively exploited zero-days and remote code execution flaws.

Additional steps may be required to fully remediate some vulnerabilities, such as enabling Extended Protection for Authentication in Exchange Server. Overall, applying these critical monthly security updates helps harden environments against emerging threats.

Update for Windows 11 users: Microsoft has published KB5034765 for Windows 11. Visit this page to learn what is there in the KB5034765 update.

Update for Windows 10 users: Microsoft has published KB5034763 for Windows 10. Visit this page to learn what is there in the KB5034763 update.

Key Highlights – Patch Tuesday February 2024

Microsoft’s February 2024 Patch Tuesday addressed 73 vulnerabilities, including two actively exploited zero-days: CVE-2024-21351 (Windows SmartScreen bypass) and CVE-2024-21412 (Internet Shortcut files bypass).

Key highlights are:

  • Total flaws: 73 total bugs fixed, with 5 critical and 68 important.

  • Vulnerability types: Remote code execution (31 bugs) leads, followed by elevation of privilege (16) and spoofing (10).

  • Zero-days: The two zero-days allow bypassing security warnings and executing malicious code.

  • Critical bugs: Other critical issues include RCEs in Exchange Server, Outlook, information disclosure in Dynamics, and DoS in Hyper-V and Windows PGM.

  • Notable issues: Important RCEs in .NET, ActiveX, Office components. Privilege escalations in Windows kernel and Azure services.

  • Key products: Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, Microsoft Edge.

Administrators should prioritize testing and deployment of patches, focusing on the actively exploited zero-days and remote code executions. These February updates continue to secure Microsoft’s ecosystem against emerging threats.

Zero-day Vulnerabilities Patched in February 2024

Two 0-days patches released in February 2024 report are:

CVE ID
Description
CVSSv3
Severity
CVE-2024-21412
Internet Shortcut Files Security Feature Bypass Vulnerability
8.1
Important
CVE-2024-21351
Windows SmartScreen Security Feature Bypass Vulnerability
7.6
Moderate

CVE-2024-21412 – Internet Shortcut Files Security Feature Bypass Vulnerability

  • Vulnerability type: Security Feature Bypass

  • Affected product: Internet Shortcut Files

  • CVSS v3 base score: 8.1

  • Severity rating: Important

This vulnerability allows an unauthenticated attacker to bypass the security warning dialogs typically displayed when a user opens an Internet Shortcut (.url) file from an untrusted source.

Successful exploitation requires the attacker to convince the user to open a specially crafted malicious .url file. This could be done via social engineering through email, messaging apps, forums, etc. Once opened, the file would bypass the warnings about potentially malicious content from the internet, enabling further attacks.

The CVSS v3 base score is 8.1 out of 10, indicating a vulnerability that is “high” severity. However, Microsoft rates this as “Important” rather than “Critical” in their own severity scale, likely because it requires user interaction to exploit.

The fact that Microsoft observed active exploitation of this zero-day vulnerability before a patch was issued underscores the urgency of applying the fix released as part of the February 2024 Patch Tuesday updates.

CVE-2024-21351 – Windows SmartScreen Security Feature Bypass Vulnerability

  • Vulnerability type: Security Feature Bypass

  • Affected product: Windows SmartScreen

  • CVSS v3 base score: 7.6

  • Severity rating: Moderate

This vulnerability allows an attacker to bypass Windows SmartScreen warnings and protections. SmartScreen is a security feature that scans web pages and files for threats.

To exploit this, an attacker would have to convince the user to open a malicious file that then could bypass SmartScreen checks and achieve remote code execution.

The CVSS v3 base score is 7.6 out of 10, putting it in the “High” severity bracket. However, Microsoft rated this moderate severity, likely because it requires social engineering for exploitation.

Microsoft reported that this vulnerability was being actively exploited in the wild at the time of disclosure. This makes rapidly patching this flaw critically important to prevent attacks leveraging this technique.

Successful exploitation could allow attackers to inject malicious code into SmartScreen processes for heightened system access and potential data exposure or denial of service.

See also  How to Enable TLS 1.2 and TLS 1.3 via Group Policy

Critical Vulnerabilities Patched in February 2024

Five vulnerabilities with critical severity score in February 2024 patch reports are:

CVE
Description
CVSS Score
CVE-2024-21410
Microsoft Exchange Server Elevation of Privilege Vulnerability
9.8
CVE-2024-21413
Microsoft Outlook Remote Code Execution Vulnerability
9.8
CVE-2024-21380
Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
8.0
CVE-2024-21357
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
7.5
CVE-2024-20684
Windows Hyper-V Denial of Service Vulnerability
6.5

CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability

  • Vulnerability type: Elevation of Privilege

  • Affected product: Microsoft Exchange Server

  • CVSS v3 base score: 9.8

  • Severity rating: Critical

This vulnerability allows an unauthenticated remote attacker to relay leaked Net-NTLMv2 hashes and essentially impersonate or authenticate as other users on a vulnerable Exchange Server.

The attacker could potentially obtain the Net-NTLMv2 credentials through a separate vulnerability then use them to exploit this flaw and gain unauthorized access acting as the victimized user.

With a CVSS v3 base score of 9.8 out of 10, this is deemed a “critical” severity vulnerability. The high score reflects the ease of remote exploitability and high potential impact in terms of compromising Exchange Server accounts.

Microsoft noted that while patches are available, additional steps are required including updating to Exchange Server 2019 Cumulative Update 14 (CU14) and enabling the Extended Protection for Authentication (EPA) feature. Careful patching and credential hygiene are vital to security.

CVE-2024-21413 – – Microsoft Outlook Remote Code Execution Vulnerability

  • Vulnerability type: Remote Code Execution

  • Affected product: Microsoft Outlook

  • CVSS v3 base score: 9.8

  • Severity rating: Critical

This vulnerability allows an attacker to bypass Office Protected View and open specially crafted files in editing mode rather than protected mode. Doing so enables malicious code execution.

The CVSS v3 base score is 9.8 out of 10, putting it in the “critical” severity tier, which aligns with Microsoft’s own rating. Successful exploitation could lead to malware execution, data exposure, or possible system takeover.

Attack vectors include convincing users to open malicious emails or attachments. Specific to this CVE, the Outlook Preview Pane is listed as a vector, meaning previewing alone could trigger exploitation and code execution.

Microsoft has released several patches, including some that require multiple installs across 32-bit and 64-bit Office 2016 versions to fully mitigate the vulnerability. Careful deployment is essential for protection.

This flaw highlights the importance of ongoing staff security training as well given the social engineering often required to exploit critical remote code execution bugs.

CVE-2024-21380 – Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability

  • Vulnerability type: Information Disclosure

  • Affected product: Microsoft Dynamics Business Central/NAV

  • CVSS v3 base score: 8.0

  • Severity rating: Critical

This vulnerability allows an authenticated attacker to potentially access other tenants’ data and applications within the multi-tenant Microsoft Dynamics Business Central/NAV software.

Successful exploitation requires the attacker to convince the user to click on a specially crafted URL. There is also a race condition that must occur for the exploit to fully succeed.

The CVSS v3 base score is 8.0 out of 10, putting it in the “high” severity tier. Along with Microsoft’s own critical severity rating, this reflects the significance of the unauthorized data access and account control implications.

While authentication is required, the business-critical nature of the Dynamics platform makes this an important vulnerability to patch quickly. Successful exploitation could allow attackers to access sensitive customer information or perform unauthorized actions.

CVE-2024-21357 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

  • Vulnerability type: Remote Code Execution

  • Affected product: Windows Pragmatic General Multicast (PGM)

  • CVSS v3 base score: 7.5

  • Severity rating: Critical

This remote code execution vulnerability exists in the Windows PGM networking feature. PGM is a transport protocol that enables reliable data transfer to multiple receivers.

While Microsoft assigns this a Critical severity rating, the CVSS v3 base score is 7.5 out of 10. Exploitation is also limited to systems connected to the same network or virtual network as the attacker.

Attack complexity is considered high since additional actions are required by a threat actor prior to successful exploitation. Still, the security implications of remote code execution vulnerabilities makes this an important patch to address.

Applying the Microsoft updates for CVE-2024-21357 will mitigate the potential for exploits leveraging this network transport protocol vulnerability and executing arbitrary code on impacted endpoints.

CVE-2024-20684 – Windows Hyper-V Denial of Service Vulnerability

  • Vulnerability type: Denial of Service

  • Affected product: Windows Hyper-V

  • CVSS v3 base score: 6.5

  • Severity rating: Critical

This denial-of-service (DoS) vulnerability exists in Windows Hyper-V, the native hypervisor-based virtualization platform in Windows.

The vulnerability could enable a guest virtual machine to adversely impact the functionality of the hosting Hyper-V server. While it scores only 6.5 CVSS and requires local access, a successful DoS attack could still lead to a shutdown of virtualized workloads.

See also  How to Start Preparing for CISSP? What Resources Are to be Used for CISSP Preparation?

Microsoft rated this bug as Critical severity, likely due to the potential disruption it could cause to business-critical virtual infrastructure. However, the attack complexity is higher since software would need to be specifically designed to trigger the flaw.

Applying Microsoft’s patch for CVE-2024-20684 will mitigate the possibility of a virtual machine being able to crash or disable the Windows Hyper-V host system and associated services.

Vulnerabilities by Category

Bar chart showing the number of cybersecurity vulnerabilities categorized by type for February 2024, with 'Remote Code Execution' being the most common.

Microsoft addressed 73 total vulnerabilities in February, spanning:

  • Remote Code Execution – 31

  • Elevation of Privilege – 16

  • Information Disclosure – 5

  • Security Feature Bypass – 3

  • Denial of Service – 9

  • Spoofing – 10

Remote code execution vulnerabilities continue to dominate, representing 41% of the February updates. Successful exploits of these critical bugs enable arbitrary code execution for extensive system control.

The second most prevalent category is elevation of privilege at 22%. These empower threat actors to increase compromised user rights to further objectives.

While less frequent, spoofing, denial of service, and information disclosure flaws enable attack chains and should also undergo patching. Spoofing now represents 14% of February fixes.

Overall, systematically addressing these complex categories of risk is essential against today’s advanced, determined adversaries across enterprise attack surfaces. Prioritizing by potential business impact is key.

Complete List of Vulnerabilities Patched in February 2024 Patch Tuesday

Download the complete list of vulnerabilities by products patched inFebruary 2024 Patch Tuesday here. 

Azure vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability
No
No
9.8
Microsoft Azure Site Recovery Elevation of Privilege Vulnerability
No
No
9.3
Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability
No
No
9
Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
No
No
9
Azure Connected Machine Agent Elevation of Privilege Vulnerability
No
No
7.3
Microsoft Azure Active Directory B2C Spoofing Vulnerability
No
No
6.8
Azure Stack Hub Spoofing Vulnerability
No
No
6.5
Microsoft Azure File Sync Elevation of Privilege Vulnerability
No
No
5.3

 

Azure Developer Tools vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Azure DevOps Server Remote Code Execution Vulnerability
No
No
7.5

Browser vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
No
No
8.3
Chromium: CVE-2024-1284 Use after free in Mojo
No
No
N/A
Chromium: CVE-2024-1283 Heap buffer overflow in Skia
No
No
N/A
Chromium: CVE-2024-1077 Use after free in Network
No
No
N/A
Chromium: CVE-2024-1060 Use after free in Canvas
No
No
N/A
Chromium: CVE-2024-1059 Use after free in WebRTC
No
No
N/A

Developer Tools vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
.NET Denial of Service Vulnerability
No
No
7.5
.NET Denial of Service Vulnerability
No
No
7.5

ESU Windows vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Windows OLE Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
No
No
8.8
Microsoft ActiveX Data Objects Remote Code Execution Vulnerability
No
No
8.8
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
No
No
7.8
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
No
No
7.8
Windows Printing Service Spoofing Vulnerability
No
No
7.5
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
No
No
7.5
Microsoft ODBC Driver Remote Code Execution Vulnerability
No
No
7.5
Internet Connection Sharing (ICS) Denial of Service Vulnerability
No
No
7.5
Windows DNS Information Disclosure Vulnerability
No
No
7.1
Windows Kernel Elevation of Privilege Vulnerability
No
No
7
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
No
No
7
Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
No
No
7
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
No
No
6.5
Windows Network Address Translation (NAT) Denial of Service Vulnerability
No
No
5.9
Windows Network Address Translation (NAT) Denial of Service Vulnerability
No
No
5.9
Windows Kernel Information Disclosure Vulnerability
No
No
4.6
MITRE: CVE-2023-50387 DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers
No
No
N/A

Exchange Server vulnerabilities

Microsoft Dynamics vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
No
No
8.2
Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
No
No
8
Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
No
No
7.6
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
No
No
7.6
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
No
No
7.6
Dynamics 365 Sales Spoofing Vulnerability
No
No
7.6
Dynamics 365 Sales Spoofing Vulnerability
No
No
7.6
Dynamics 365 Field Service Spoofing Vulnerability
No
No
7.6

Microsoft Office vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Outlook Remote Code Execution Vulnerability
No
No
9.8
Microsoft Outlook Remote Code Execution Vulnerability
No
No
8
Microsoft Word Remote Code Execution Vulnerability
No
No
7.8
Microsoft Office Remote Code Execution Vulnerability
No
No
7.8
Microsoft Office OneNote Remote Code Execution Vulnerability
No
No
7.8
Microsoft Outlook Elevation of Privilege Vulnerability
No
No
7.1
Skype for Business Information Disclosure Vulnerability
No
No
5.7
Microsoft Teams for Android Information Disclosure
No
No
5

System Center vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability
No
No
7.8

Windows vulnerabilities

CVE
Title
Exploited?
Publicly disclosed?
CVSSv3 base score
Windows Kernel Elevation of Privilege Vulnerability
No
No
8.8
Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability
No
No
8.8
Internet Shortcut Files Security Feature Bypass Vulnerability
Yes
No
8.1
Windows Kernel Elevation of Privilege Vulnerability
No
No
7.8
Win32k Elevation of Privilege Vulnerability
No
No
7.8
Windows SmartScreen Security Feature Bypass Vulnerability
Yes
No
7.6
Windows DNS Client Denial of Service Vulnerability
No
No
7.5
Windows Kernel Remote Code Execution Vulnerability
No
No
6.8
Windows Hyper-V Denial of Service Vulnerability
No
No
6.5
Windows USB Generic Parent Driver Remote Code Execution Vulnerability
No
No
6.4
Windows Kernel Security Feature Bypass Vulnerability
No
No
5.5
Trusted Compute Base Elevation of Privilege Vulnerability
No
No
4.1

Bottom Line

Microsoft’s February 2024 Patch Tuesday release addressed 73 total vulnerabilities, headlined by fixes for two actively exploited zero-day flaws:

  • CVE-2024-21412 (Internet Shortcut File Security Feature Bypass)

  • CVE-2024-21351 (Windows SmartScreen Security Feature Bypass)

Additional key vulnerabilities included:

  • CVE-2024-21410 – Critical Exchange Server Elevation of Privilege issue that was also exploited in the wild.

  • CVE-2024-21413 – Critical remote code execution bug in Outlook.

  • Multiple critical remote code execution and privilege escalation vulnerabilities across Windows, Microsoft Office, Dynamics, and other products.

In total, 31 critical or high-severity remote code execution bugs were addressed this month along with 16 important elevation of privilege flaws. Information disclosure, spoofing, and denial of service issues rounded out the rest.

The extensive patch load stresses the importance of continuous monitoring, vulnerability management, and updating to counter sophisticated multi-stage attacks targeting enterprise networks. Prioritizing remediation efforts by potential business impact is crucial.

We’ll continue providing monthly Patch Tuesday analyses highlighting major security updates needing visibility. Please follow us on social media or subscribe to our website to receive the latest reports.

Leave a Reply

Your email address will not be published. Required fields are marked *