Skip links

Crims found and exploited these two Microsoft bugs before Redmond fixed ’em

Patch Tuesday Microsoft fixed 73 security holes in this February’s Patch Tuesday, and you better get moving because two of the vulnerabilities are under active attack.

Of the whole bundle five are rated critical and two others, rated important and moderate threats, are the pair being exploited in the wild.

First up: CVE-2024-21412, an internet shortcut file security feature bypass vulnerability that earned an 8.1-out-of-10 CVSS severity rating though Redmond only considers it important. After a user clicks on a maliciously crafted shortcut file on a vulnerable Windows machine, the file can start the next stage of an attack without causing security checks to appear on the screen.

Trend Micro’s Zero Day Initiative researchers were among those to spot the bug and report it to Redmond. According to Trend’s researchers, a financially motivated gang it tracks as Water Hydra (aka DarkCasino) abused this bypass flaw to trick financial traders into ultimately infecting their PCs with DarkMe – a remote-access trojan seeded in forex trading forums and stock trading Telegram channels.

This same crew previously used the WinRAR code execution vulnerability CVE-2023-38831 months before it was disclosed, again to target stock traders with the same malware. Shortly thereafter, Russian and Chinese crews joined in and The Register expects to see a similar pile-on with CVE-2024-21412. So patch this one ASAP.

The second Microsoft vulnerability that’s under active exploit (also rated moderate), CVE-2024-21351, is a Windows SmartScreen security feature bypass vulnerability that earned a 7.6 CVSS rating. We don’t know who is exploiting this bug, nor how widespread the attacks are – Microsoft rarely provides any insight into either of these things.

Windows uses Mark of the Web as a security feature to identify files downloaded from the internet, which when opened triggers a SmartScreen check. This SmartScreen bypass bug could allow an attacker to “inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both,” according to Redmond.

Exploitation would turn SmartScreen on its own users, therefore.

As for the critical flaws:

  • CVE-2024-21380: Microsoft Dynamics Business Central information disclosure, in that an authenticated user could trick a fellow user into clicking on a link that could lead to the leakage of account data and more.
  • CVE-2024-21410: Elevation of privilege in Microsoft Exchange Server, which can be exploited by a remote unauthenticated miscreant to impersonate users. Patching this requires extra steps.
  • CVE-2024-21413: Remote code execution in Microsoft Office, in that protected view can be bypassed leading “to the leaking of local NTLM credential information and remote code execution.”
  • CVE-2024-20684: Denial-of-service in Windows Hyper-V.
  • CVE-2024-21357: Remote code execution in Windows Pragmatic General Multicast.

The Zero Day Initiative has a full rundown here.

Adobe February updates

Adobe released six patches that fix 29 vulnerabilities in its Commerce, Acrobat and Reader, FrameMaker Publishing Server, Audition, Substance 3D Painter, and Substance 3D Designer products.

Two of the patches fix critical remote code execution (RCE) vulnerabilities present in Commerce and in Acrobat and Reader. Luckily, none of these CVEs appear to have been found, or exploited, before Adobe issued fixes.

SAP stamps out 16 Security Notes

SAP released 16 Security Notes – 13 of which are new and the other three representing updates to earlier patches. SAP has its own threat ranking system and labels two fixes as HotNews and six as High Priority Notes, with the rest being considered medium or low risk.

The only fresh HotNews Note, #3420923, addresses a critical code injection vulnerability in cross-application component SAP_ABA that received a CVSS score of 9.1 out of ten.

The other HotNews Note this month is a recurring fix for the most recent Chromium vulnerabilities (33 in total) for SAP Business Client.

Intel fixes everything

Intel joined the February patch party with a whopping 35 advisories addressing 79 CVEs. None are rated critical, and none seem to have been exploited in the wild.

Twenty of these vulnerabilities – including three high-rated bugs – are in Intel Thunderbolt Declarative Componentized Hardware drivers for Windows, and exploiting them could lead to escalation of privileges by an attacker, denial of service, and/or information disclosure.

Intel also sounded the alarm on three high-rated escalation of privilege vulnerabilities in some Arm Development Studio for Intel System-on-a-Chip FPGA software. There’s also one high-rated improper access control flaw in some Intel PROSet/Wireless and Intel Killer Wi-Fi software that may allow an unauthenticated user to cause a denial of service attack via local access.

We should also mention: AMD has patched a flaw in the RSA authentication mechanism of its UltraScale and UltraScale+ FPGAs, which can be exploited to inject unauthorized bitstreams into arrays; two SEV firmware vulnerabilities that potentially affect the security of guest VMs on shared hosts; four low-level processor holes, the worst of which could result in privilege escalation; and 20 flaws in its embedded CPU products.

Cisco updates some earlier alerts

Cisco, so far this month, has issued four security advisories addressing six CVEs. This includes an updated fix for CVE-2024-20290 – a 7.5-rated vulnerability in the OLE2 file format parser of ClamAV that could allow an unauthenticated remote attacker to cause a denial of service condition.

And yesterday, the networking giant updated an advisory addressing three vulnerabilities – collectively rated 9.6 – in the Cisco Expressway series unified comms kit. The flaws could allow an unauthenticated, remote attacker to conduct cross-site request forgery infiltration.

And … Android

Finally, earlier this month Google addressed about 30 CVEs in its February Android security bulletin.

The most serious of the bunch, CVE-2024-0031, is “a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” the Chocolate Factory warned. ®