Microsoft patches two zero-days for Valentine’s Day
Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket, amongst better than 70 points
Microsoft has patched two actively exploited zero-day vulnerabilities in its February Patch Tuesday – a pair of security feature bypasses affecting Internet Shortcut Files and Home windows SmartScreen respectively – out of a total of gorgeous over 70 vulnerabilities disclosed in the second descend of 2024.
Among just a number of the more pressing points this month are serious vulnerabilities in Microsoft Dynamics, Alternate Server, Keep of work, and Home windows Hyper-V and Pragmatic Overall Multicast, even supposing none of these flaws are being aged in the wild reasonably but.
Water Hydra
The first of the two zero-days is tracked as CVE-2024-21412 and used to be discovered by Vogue Micro researchers. It appears to be being aged to purpose foreign change merchants specifically by a team tracked as Water Hydra.
Per Vogue Micro, the cyber prison gang is leveraging CVE-2024-21412 as fraction of a noteworthy wider assault chain in snort to bypass SmartScreen and divulge a much-off access trojan (RAT) called DarkMe, doubtless as a precursor to future attacks, possibly interesting ransomware.
“CVE-2024-21412 represents a serious vulnerability characterised by subtle exploitation of the Microsoft Defender SmartScreen by a nil-day flaw,” explained Saeed Abbasi, product supervisor for vulnerability study on the Qualys Chance Study Unit.
“This vulnerability is exploited by the expend of a specially crafted file delivered by phishing methods, which cleverly manipulates cyber web shortcuts and WebDAV substances to bypass the displayed security checks.
“The exploitation requires user interplay, attackers ought to convince the focused user to delivery a malicious file, highlighting the importance of user consciousness alongside technical defences. The affect of this vulnerability is profound, compromising security and undermining trust in protecting mechanisms luxuriate in SmartScreen,” said Abbasi.
The second zero-day, tracked as CVE-2024-21351, is remarkably identical to the first in that in a roundabout contrivance, it impacts the SmartScreen service. In this case, on the opposite hand, it enables an attacker to discover across the checks that it conducts for the so-called Price-of-the-Internet (MotW) that signifies whether or no longer a file would possibly possibly possibly well be depended on or no longer, and place their very possess code.
“This bypass can happen with minimal user interplay, requiring most efficient that a user opens a malicious file,” said Abbasi. “The affect of this exploit contains doable unauthorised access to records (some lack of confidentiality), extreme manipulation or corruption of recordsdata (total lack of integrity), and partial disruption of contrivance operations (some lack of availability).
“The importance of this vulnerability lies in its capacity to undermine a necessary security defence in opposition to malware and phishing attacks, emphasising the urgency for customers to update their methods to mitigate the menace.”
Critical vulns
The five serious vulnerabilities this month are, in CVE quantity snort:
- CVE-2024-20684, a denial of service (DoS) vulnerability in Home windows Hyper-V;
- CVE-2024-21357, a much-off code execution (RCE) vulnerability in Home windows Pragmatic Overall Multicast (PGM);
- CVE-2024-21380, an records disclosure vulnerability in Microsoft Dynamics Enterprise Central/NAV;
- CVE-2024-21410, an elevation of privilege (EoP) vulnerability in Microsoft Alternate Server;
- CVE-2024-21413, an RCE vulnerability in Microsoft Keep of work.
Assessing this month’s serious vulnerabilities, security specialists zoomed in on CVE-2024-21410 in Microsoft Alternate specifically. Kev Breen, senior director of menace study at Immersive Labs, said that it ought to be high on the checklist because of while it isn’t very marked as being actively exploited, it is much more liable to be exploited.
“This particular vulnerability is is known as an NTLM relay or trek-the-hash assault and this form of assault is a authorized for menace actors as it enables them to impersonate customers in the network,” he said.
“The contrivance in which this vulnerability works is that if an attacker is in a contrivance to win your NTLM hash, they successfully possess the encoded version of your password and can log in to the Alternate Server as you. Microsoft specifically calls out past vulnerabilities luxuriate in the Outlook zero click on exploit CVE-2023-35636 as one methodology attackers can earn access to this NTLM hash.”
“Financially motivated attackers will doubtless be like a flash to try and weaponise this as it enables for more convincing industry e-mail compromise attacks the place aside they would possibly be able to intercept, be taught and ship reliable e-mail on behalf of workers, as an illustration, from the CEO or CFO,” he said.
Mike Walters, president and co-founder of Action1, drew consideration to CVE-2024-21412 in Outlook, which carries a in fact high severity rating of 9.8 on the CVSS scale.
“Characterised by its network-primarily based fully mostly assault vector, the vulnerability requires no particular privileges or user interplay for exploitation and would possibly possibly possibly vastly affect confidentiality, integrity, and availability,” he said.
An attacker can exploit this vulnerability by the expend of the preview pane in Outlook, allowing them to avoid Keep of work Rep Search for and force recordsdata to delivery in edit mode, in region of in the safer accumulate mode,” said Walters.
Walters said that the menace posed by this vulnerability used to be extensive, possibly enabling an attacker to raise their privileges and earn the capacity to be taught, write and delete records. Added to this scenario, it could possibly well enable them to craft malicious links to bypass Rep Search for Protocol, resulting in the publicity of native NTLM credentials and possibly facilitating a ways-off code execution. As such, it ought to be treated as a priority.
Be taught more on Application security and coding necessities
February Patch Tuesday corrects two Home windows zero-days
By: Tom Walat
CISA warns Fortinet zero-day vulnerability beneath assault
By: Arielle Waldman
Ivanti discloses light zero-day flaw, releases delayed patches
By: Arielle Waldman
Critical vulnerability exposes Fortra GoAnywhere customers
By: Alex Scroxton