Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] Microsoft Feb 24 Patch Tuesday Highlights

Executive Summary

In the February 2024 Patch Tuesday, Microsoft released fixes for a total of 79 vulnerabilities, including two zero-days.

73 of the vulnerabilities are Microsoft CVEs and 6 of them are non-Microsoft CVEs. Out of those 6 flaws, 5 of them are related to Chromium with CVSS scores of 8+ and 9+, and 1 is related to DNS Server.

We advise organisations to prioritise the installation of these patches by adopting a risk-based approach. Below is a summary of the zero-days and vulnerabilities with a CVSS score of 8+ that Microsoft addressed in this release. For more details, you can refer to the Microsoft February 2024 Security Updates.

As a side note, you can explore the key highlights for Microsoft Patch Tuesday in January 2024, addressing 53 flaws, here.

Zero-Days

Microsoft addressed following zero-day vulnerabilities February 2024 Patch Tuesday release.

CVE-2024-21412

CVE-2024-21412 is a security vulnerability with a CVSS score of 8.1. It is specifically related to Internet Shortcut Files (.URL) and affects Microsoft Defender SmartScreen by allowing bypass of its security features. An advanced persistent threat actor has exploited this vulnerability, targeting financial market traders. To successfully exploit this vulnerability, the threat actor must trick users into clicking on a specially crafted file link.


CVE-2024-21351

CVE-2024-21351 is a Windows SmartScreen security feature bypass vulnerability with a CVSS score of 7.6. This vulnerability allows a malicious actor to inject code into SmartScreen, potentially enabling code execution which could lead to data exposure, lack of system availability, or both.

It is worth mentioning that the Microsoft Patch Tuesday releases in January and December did not include any zero-days.

Microsoft Azure

The company addressed following Azure vulnerabilities with a CVSS score of 8+:

  • An Azure Active Directory vulnerability, CVE-2024-21401, with a CVSS score of 9.8
  • An Azure Site Recovery vulnerability, CVE-2024-21364 on , with a CVSS score of 9.3
  • An Azure Kubernetes Service flaw, CVE-2024-21376, with a CVSS score of 9.0
  • An Azure Kubernetes Service flaw, CVE-2024-21403, with a CVSS score of 9.0
Microsoft Exchange

The tech giant addressed an Exchange Server flaw, CVE-2024-21410, with a CVSS score of 9.8.

Microsoft Office

The company addressed following CVSS 8+ vulnerabilities on Microsoft Office:

Microsoft ActiveX

Microsoft addressed CVE-2024-21349, with a CVSS score of 8.8 on Microsoft AciveX framework.

Windows

The company addressed following CVSS 8+ flaws on Windows OS:

  • A Microsoft WDAC ODBC Driver vulnerability, CVE-2024-21353, with a CVSS score of 8.8,
  • CVE-2024-21352, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21358, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21359, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21360, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21361, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21365, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21366, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21367, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21368, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21369, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21370, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21375, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21391, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • CVE-2024-21420, with a CVSS score of 8.8, on Microsoft WDAC OLE DB provider for SQL,
  • A Windows Kernel flaw, CVE-2024-21345, with a CVSS score of 8.8,
  • A Windows OLE flaw, CVE-2024-21372, with a CVSS score of 8.8.
Microsoft Edge

Microsoft addressed CVE-2024-21399, with a CVSS score of 8.8, on Microsoft Edge.

Additionally, the company included Google’s fixes for the following critical Chromium flaws:

There are no known exploits for the above Chromium vulnerabilities.

Microsoft Dynamics

Microsoft addressed following CVSS 8+ vulnerabilities on Microsoft Dynamics:

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.