Skip to main content

Microsoft Releases February 2024 Security Updates

Scheduled updates for Microsoft products, including security updates for 73 vulnerabilities with 6 rated as critical

Threat ID:
CC-4453
Threat Severity:
Medium
Published:
14 February 2024 1:35 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Scheduled updates for Microsoft products, including security updates for 73 vulnerabilities with 6 rated as critical

The following platforms are also known to be affected:

  • Internet Shortcut Files
  • Microsoft Office
  • Microsoft Entra Jira
  • Microsoft Office
  • Microsoft Defender for Endpoint
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Windows
  • Microsoft Office OneNote
  • Microsoft Teams for Android
  • Microsoft Windows DNS
  • Microsoft Office Word
  • Microsoft WDAC ODBC Driver
  • Microsoft ActiveX
  • Microsoft WDAC OLE DB provider for SQL
  • Azure DevOps
  • Azure Stack
  • Azure Connected Machine Agent
  • Azure Active Directory
  • Azure File Sync
  • Windows SmartScreen
  • Windows Kernel
  • Windows USB Serial Driver
  • Windows Message Queuing
  • Windows LDAP - Lightweight Directory Access Protocol
  • Windows OLE
  • Windows Internet Connection Sharing (ICS)
  • Windows Win32K - ICOMP
  • Windows Hyper-V
  • SQL Server
  • Role: DNS Server
  • Skype for Business
  • Trusted Compute Base
  • .NET

Threat details

Exploitation of CVE-2024-21351, CVE-2024-21412, CVE-2024-21413, CVE-2024-21410, and CVE-2024-21338

Microsoft has confirmed exploitation of CVE-2024-21351 (Windows SmartScreen security feature bypass vulnerability), CVE-2024-21412 (Internet Shortcut Files security feature bypass vulnerability) and CVE-2024-21410 (Microsoft Exchange Server Elevation of Privilege Vulnerability).

In late February 2024, Microsoft also confirmed that CVE-2024-21338 (Windows Kernel Elevation of Privilege Vulnerability) is actively being exploited by Lazarus Group APT.

Microsoft have also confirmed that CVE-2024-21413 (Microsoft Outlook Remote Code Execution Vulnerability) is being exploited in the wild.

Introduction

Microsoft has released security updates to address 73 vulnerabilities, including six that are critical, which are highlighted in the vulnerability details below.

Vulnerability details

  • CVE-2024-21364 - CWE-269 - Improper Privilege Management

This is a critical elevation of privilege vulnerability affecting Microsoft Azure Site Recovery, with a CVSSv3 score of 9.3. An attacker with local access to a machine with Azure Site Recovery (ASR) could execute code that allows escalating privileges to IUSR (or Anonymous User Identity) and could discover MySQL root password, which could result in the discovery of other stored encrypted credentials.

  • CVE-2024-21376 CWE-94 - Improper Control of Generation of Code ('Code Injection')

This is a critical confidential container remote code execution vulnerability affecting Microsoft Azure Kubernetes Service, with a CVSSv3 score of 9.0. An attacker could access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to.

  • CVE-2024-21401 - CWE-269 - Improper Privilege Management

This is a critical single-sign-on plugin elevation of privilege vulnerability affecting Microsoft Entra Jira, with a CVSSv3 score of 9.8. An attacker without logon could exploit this vulnerability to fully update Entra ID SAML metadata and info for the plugin, allowing them to change the authentication of the application to their tenant as needed.

  • CVE-2024-21403 - CWE-269 - Improper Privilege Management

This is a critical confidential container elevation of privilege vulnerability affecting Microsoft Azure Kubernetes Service, with a CVSSv3 score of 9.0. An attacker could exploit this vulnerability to steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC).

  • CVE-2024-21410 - CWE-269 - Improper Privilege Management

This is a critical elevation of privilege vulnerability affecting Microsoft Exchange Server, with a CVSSv3 score of 9.8. An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials gathered could then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf. 

  • CVE-2024-21413 CWE-94 - Improper Control of Generation of Code ('Code Injection')

This is a critical remote code execution vulnerability affecting Microsoft Outlook, with a CVSSv3 score of 9.8. An attacker could craft a malicious link that bypasses the Protected View Protocol, leading to the eventual leaking of local NTLM credential information and remote code execution.

Threat updates

Date Update
12 Apr 2024 Active exploitation of CVE-2024-21413

The cyber alert has been updated to reflect this change.
29 Feb 2024 Active exploitation of CVE-2024-21338

The cyber alert has been updated to reflect this change.
16 Feb 2024 Proof-of-concept for CVE-2024-21413

The cyber alert has been updated to reflect this change.
15 Feb 2024 Exploitation of CVE-2024-21410

The cyber alert has been updated to reflect this change.

Remediation advice

Affected organisations are encouraged to review Microsoft’s February 2024 Security Update Summary and apply the relevant updates.

Last edited: 12 April 2024 10:23 am