Executive Summary
In the February 2024 Patch Tuesday, Microsoft released fixes for a total of 79 vulnerabilities, including two zero-days.
73 of the vulnerabilities are Microsoft CVEs and 6 of them are non-Microsoft CVEs. Out of those 6 flaws, 5 of them are related to Chromium with CVSS scores of 8+ and 9+, and 1 is related to DNS Server.
We advise organisations to prioritise the installation of these patches by adopting a risk-based approach. Below is a summary of the zero-days and vulnerabilities with a CVSS score of 8+ that Microsoft addressed in this release. For more details, you can refer to the Microsoft February 2024 Security Updates.
As a side note, you can explore the key highlights for Microsoft Patch Tuesday in January 2024, addressing 53 flaws, here.
Zero-Days
Microsoft addressed following zero-day vulnerabilities February 2024 Patch Tuesday release.
CVE-2024-21412
CVE-2024-21412 is a security vulnerability with a CVSS score of 8.1. It is specifically related to Internet Shortcut Files (.URL) and affects Microsoft Defender SmartScreen by allowing bypass of its security features. An advanced persistent threat actor has exploited this vulnerability, targeting financial market traders. To successfully exploit this vulnerability, the threat actor must trick users into clicking on a specially crafted file link.
CVE-2024-21351
CVE-2024-21351 is a Windows SmartScreen security feature bypass vulnerability with a CVSS score of 7.6. This vulnerability allows a malicious actor to inject code into SmartScreen, potentially enabling code execution which could lead to data exposure, lack of system availability, or both.
It is worth mentioning that the Microsoft Patch Tuesday releases in January and December did not include any zero-days.
Microsoft Azure
The company addressed following Azure vulnerabilities with a CVSS score of 8+:
- An Azure Active Directory vulnerability, CVE-2024-21401, with a CVSS score of 9.8
- An Azure Site Recovery vulnerability, CVE-2024-21364 on , with a CVSS score of 9.3
- An Azure Kubernetes Service flaw, CVE-2024-21376, with a CVSS score of 9.0
- An Azure Kubernetes Service flaw, CVE-2024-21403, with a CVSS score of 9.0
Microsoft Exchange
The tech giant addressed an Exchange Server flaw, CVE-2024-21410, with a CVSS score of 9.8.
Microsoft Office
The company addressed following CVSS 8+ vulnerabilities on Microsoft Office:
- CVE-2024-21413 with a CVSS score of 9.8
- CVE-2024-21378 on Microsoft Office Outlook with a CVSS score of 8.0
Microsoft ActiveX
Microsoft addressed CVE-2024-21349, with a CVSS score of 8.8 on Microsoft AciveX framework.
Windows
The company addressed following CVSS 8+ flaws on Windows OS:
- A Microsoft WDAC ODBC Driver vulnerability, CVE-2024-21353, with a CVSS score of 8.8,
- CVE-2024-21352, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21358, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21359, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21360, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21361, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21365, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21366, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21367, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21368, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21369, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21370, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21375, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21391, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- CVE-2024-21420, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
- A Windows Kernel flaw, CVE-2024-21345, with a CVSS score of 8.8,
- A Windows OLE flaw, CVE-2024-21372, with a CVSS score of 8.8.
Microsoft Edge
Microsoft addressed CVE-2024-21399, with a CVSS score of 8.8, on Microsoft Edge.
Additionally, the company included Google’s fixes for the following critical Chromium flaws:
There are no known exploits for the above Chromium vulnerabilities.
Microsoft Dynamics
Microsoft addressed following CVSS 8+ vulnerabilities on Microsoft Dynamics:
- CVE-2024-21395, with a CVSS score of 8.2,
- CVE-2024-21380, with a CVSS score of 8.0.
- [CVSS 7+] Linux Flaw Enables Root Privileges
- [CVSS 9+] Microsoft Dec 23 Patch Tuesday Highlights
- Sony’s MOVEit Breach: Employee Data Exposed
- Microsoft Patch Update Revealed Critical Hyper-V Vulnerabilities
- [CVSS 9+] CISA Releases Seventeen Industrial Control Systems Advisories
- Microsoft Resolves 149 Vulnerabilities in Major April Update