Cybersecurity Alert: Microsoft Fixes Two Actively Exploited Flaws
In the latest Patch Tuesday update released by Microsoft in February 2024, a total of 73 vulnerabilities in the company’s software were addressed, including two zero-day vulnerabilities that were actively being exploited by malefactors, and one truly ancient vulnerability that has persisted in Windows for 24 years.
Among the rectified vulnerabilities, five were deemed critical, 65 were classified as important, and three as moderate. Furthermore, 24 flaws in Microsoft’s Chromium-based browser, Edge, were also remedied.
Two vulnerabilities, actively exploited at the time of the update’s release, garnered particular attention:
- CVE-2024-21351 (CVSS score 7.6), related to bypassing Windows SmartScreen protection;
- CVE-2024-21412 (CVSS score 8.1), allowing for the circumvention of protection in internet shortcut files.
Microsoft highlighted the severity of CVE-2024-21351, noting the possibility of malicious code injection by an attacker with the potential for code execution, which could lead to data breaches or system malfunctions. Meanwhile, CVE-2024-21412 enables an unauthenticated attacker to bypass protective measures by sending a specially crafted file to a potential victim.
Both vulnerabilities have been included in the Known Exploited Vulnerabilities (KEV) catalog by the United States Cybersecurity and Infrastructure Security Agency (CISA), with a recommendation for U.S. federal agencies to apply the necessary updates by March 5, 2024.
Additionally, five other critical vulnerabilities were rectified:
- CVE-2024-20684 (CVSS score 6.5) – a vulnerability in Windows Hyper-V leading to a denial of service
- CVE-2024-21357 (CVSS score 7.5) – a remote code execution vulnerability in Windows Pragmatic General Multicast (PGM)
- CVE-2024-21380 (CVSS score 8.0) – an information disclosure vulnerability in Microsoft Dynamics Business Central / NAV
- CVE-2024-21410 (CVSS score 9.8) – a privilege escalation vulnerability in Microsoft Exchange Server
- CVE-2024-21413 (CVSS score 9.8) – a remote code execution vulnerability in Microsoft Outlook
The update also includes the rectification of the foundational CVE-2023-50387 flaw (CVSS score 7.5) in the DNSSEC specification, which had been present for an entire 24 years. It could be exploited to exhaust CPU resources and block DNS resolvers, causing a denial of service.
