Microsoft has rolled out patches addressing 73 security vulnerabilities across its software suite as part of the February 2024 Patch Tuesday updates. Among these are two zero-day vulnerabilities currently under active exploitation.
Of the total vulnerabilities patched, 5 are classified as Critical, 65 as Important, and 3 as Moderate in severity. This update also includes fixes for 24 flaws in the Chromium-based Edge browser since January's Patch Tuesday release.
The two zero-day vulnerabilities being actively exploited are:
CVE-2024-21351 (CVSS score: 7.6) - Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2024-21412 (CVSS score: 8.1) - Internet Shortcut Files Security Feature Bypass Vulnerability. Read More about this vulnerability here.
CVE-2024-21351 allows malicious actors to inject code into SmartScreen, potentially leading to data exposure or system unavailability. CVE-2024-21412 enables attackers to bypass security checks by sending specially crafted files to targeted users.
Both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), with federal agencies urged to apply updates by March 5, 2024.
Additionally, Microsoft has patched five critical flaws, including CVE-2024-21410, an elevation of privilege vulnerability in Microsoft Exchange Server, which could result in the disclosure of a user's NTLM version 2 hash.
The update also addresses 15 remote code execution flaws in Microsoft WDAC OLE DB provider for SQL Server and fixes CVE-2023-50387, a 24-year-old design flaw in the DNSSEC specification known as KeyTrap, which can lead to denial-of-service attacks on DNS resolvers.
This patch aims to bolster the security posture of Microsoft's software suite and mitigate the risks posed by these vulnerabilities. Users and organizations are advised to apply the patches promptly to safeguard against potential exploitation and security breaches.