It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:
If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for February 2024
For February, Adobe released six patches addressing 29 CVEs in Adobe Acrobat and Reader, Commerce, Substance 3D Painter, FrameMaker Publishing Server, Audition, and Substance 3D Designer. A total of four of these bugs were reported through the ZDI program. If you need to prioritize, I would suggest starting with the update for Acrobat and Reader. The patch fixes five Critical-rated arbitrary code execution bugs that are often used in phishing and ransomware campaigns. The fix for Commerce also has a couple of Critical-rated code execution bugs being addressed. Considering this is an aptly named commerce platform, rolling patches quickly here also makes sense.
The updates for Substance 3D Painter and Substance 3D Designer address nine and one bug respectively. The most severe of these would result in arbitrary code execution, but they also require user interaction – something like opening a specially crafted file or browsing to a malicious URL. The patch for the FrameMaker Publishing Server (not to be confused with FrameMaker itself) fixes a security feature bypass (SFB) that’s rated at a CVSS 9.8. Although not specifically stated, that reads like either a complete authentication bypass or hard-coded credentials. The final patch for Adobe Audition corrects a single heap-based buffer overflow that could lead to arbitrary code execution.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for February 2024
This month, Microsoft released 72 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 78. Two of these bugs were reported through the ZDI program, including one of the bugs under active attack.
Of the new patches released today, five are rated Critical, 65 are rated Important, and two are rated Moderate in severity. This is a relatively typical volume of fixes for a February release, and so far, the number of fixes from Adobe and Microsoft is lower than last year over the same time. It will be interesting to see if this trend continues throughout 2024.
Two of these CVEs are listed as under active attack at the time of release, although neither is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the discovery made by the ZDI Threat Hunting team:
- CVE-2024-21412 – Internet Shortcut Files Security Feature Bypass Vulnerability
This is the bug found by Peter Girnus and the rest of the ZDI Threat Hunting team. I won’t go into great detail about the technical aspects of the bug because my colleagues at Trend Micro Research have already done that here. The video above also provides some context and a demonstration of the vulnerability. This bug is currently targeting forex traders with a remote access trojan through forum posts and responses, but we expect it to spread now that it is publicly known. Trend Micro customers are already protected by various filters and virtual patches, but everyone else should test and deploy this fix as soon as possible.
- CVE-2024-21351 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the other actively exploited bug being patched this month, and it appears to be very similar to the previous ITW exploit. Windows uses Mark-of-the-Web (MotW) to distinguish files that originate from an untrusted location. SmartScreen bypasses in Windows Defender allow attackers to evade this inspection and run code in the background. Microsoft does not indicate how widespread these attacks may be but you should expect exploits to increase as threat actors add this to their toolkits. Again, test and deploy this update quickly.
- CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability
It’s been a minute since we’ve had an Exchange Server patch, and this vulnerability doesn’t disappoint with a CVSS rating of 9.8. A remote, unauthenticated attacker could use this bug to relay NTLM credentials and impersonate other users on the Exchange server. Patching won’t be straightforward either – if there is such a thing as a straightforward patch for Exchange Server. You’ll need to make sure to install the Exchange Server 2019 Cumulative Update 14 (CU14) update and ensure the Extended Protection for Authentication (EPA) feature is enabled. Microsoft has provided this article with additional information for Exchange administrators.
- CVE-2024-21413 – Microsoft Office Remote Code Execution Vulnerability
This is an intriguing bug that allows an attacker to bypass the Office Protected View and open a file in editing mode rather than protected mode. Not only does this somehow allow code execution to occur, but it could also occur in the Preview Pane. This vulnerability also rates a CVSS of 9.8, so the severity isn’t being overstated. Also, users of the 32- and 64-bit versions of Office 2016 will need to install multiple updates to fully address this vulnerability. Be sure to close all running Office apps when installing these fixes to help avoid a reboot, which is listed as a “Maybe” for the Office 2016 patches.
Here’s the full list of CVEs released by Microsoft for February 2024:
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Looking at the remaining Critical-rated bugs, the fix for Dynamics Business Central stands out as it could lead to a threat actor accessing other tenants’ applications and content. The attacker must be authenticated, but successful exploitation would grant them read, write, and delete functionality. You don’t see Critical-rated DoS bugs often, but the patch for Hyper-V deserves the rating as a guest OS could impact the Hyper-V host. The vulnerability in Pragmatic General Multicast (PGM) is serious but less likely to be exploited as it requires the attacker to be network adjacent. Multicast messages aren’t routable beyond a single network segment.
Moving on to the other code execution bugs, SQL clients are having a moment with 18 different patches. Thankfully, each of these bugs requires an affected client to connect to a malicious SQL Server, so practical exploitation is unlikely without significant social engineering. It’s the same scenario for the bug in ActiveX, too. The more concerning bugs are in Word and Outlook and have the Preview Pane as an attack vector. Word bugs are typically open-and-own, but having one that hits in the Preview Pane is definitely a rarity. The other RCEs in Office components are more traditional, but CVE-2024-20673 also requires users of the 32- and 64-bit versions of Office 2016 to install multiple updates to be protected. Speaking of extra steps, there are additional actions required to address the bug in the Azure Kubernetes Service. As stated by Microsoft in the bulletin:
The bug in Azure DevOps requires attackers to have Queue Build permissions. The bug in Microsoft Message Queuing (MSMQ) is written as an “open and own” style bug. This could mean opening an application that uses MSMQ could trigger the bug, but it’s not clear. It’s also not clear how an attacker would get RCE through the USB driver or Windows kernel. One can assume plugging in a malicious USB drive for the former, but the latter is definitely more opaque. Kernel bugs tend to either be privilege escalations or info disclosures. Maybe this is something through SMB?
There are a total of 14 different elevation of privilege (EoP) patches in this month’s release, and most simply result in an authenticated attacker executing code at SYSTEM on a target. There are some notable exceptions, starting with the CVSS 9.8 bug in Entra Jira SSO plugin. A remote, unauthenticated attacker could fully update Entra ID SAML metadata and info for the plugin. The attacker could then change the authentication of the application to their tenant as needed. Patching this requires the admin to download and install version 1.1.2 of the plugin either from the Microsoft Download Center or from Atlassian Marketplace. You also need to take the same steps to address the bug in the Azure Kubernetes Service as are listed above. The escalation in Azure File Sync allows attackers to create files in directories where they shouldn’t have access. They wouldn’t be able to modify or delete existing files. The Moderate-rated (yet somehow CVSS 9.3) bug in Azure Site Recovery could allow an attacker to obtain the MySQL root password – allowing even further compromise. Not sure how that ended up as “Moderate”, but I would treat it as critical if you are running Azure Site Recovery. Finally, the privilege escalation in Outlook simply yields code execution at the level of the user running the application.
There are only a few information disclosure bugs receiving fixes in this month’s release. The bugs in the Windows kernel and DNS server only result in info leaks consisting of unspecified memory contents. The vulnerability in Skype for Business (remember it?) would allow an attacker to view file contents. Microsoft doesn’t specify what information can be disclosed by the bug in Teams for Android, but they do note user interaction is required. You’ll also need to get the update directly from the Android Play Store to be protected from this vulnerability.
In addition to the two I’ve already mentioned, there are two additional SFB patches released this month. The SFB in the kernel allows attackers to bypass the Windows Code Integrity Guard (CIG). The final SFB in Trusted Compute Base could allow some to bypass – you guessed it – secure boot.
In addition to those already documented, the February release includes fixes for just over a half dozen denial-of-service (DoS) bugs. However, Microsoft provides no real information or details for them. If I were to guess, I would put the DNS and LDAP bugs at the top of my severity rankings due to their role in the enterprise.
This month’s release also includes six fixes for spoofing bugs. Three of these are in Dynamics 365 and would allow an attacker to modify the content of a link on an affected system to redirect the victim to a malicious site. There’s a fix for the Device Metadata Retrieval Client (DMRC) that fixes a vulnerability triggered when a remote attacker sends a specially crafted packet to an affected system. The final two spoofing bugs are both in Azure. The bug in Azure Stack Hub requires a user to click on a link. The bug in Azure Active Directory requires an attack to intercept traffic (MitM), but servicing goes beyond just installing a patch. Microsoft rolled out a fix already that includes Proof Key for Code Exchange (PKCE) as outlined here. However, not all customers may have received the update. If you were notified directly via Azure Service Health Alerts under Tracking ID: XXXXXX, you will need to take additional actions.
Finally, there are four cross-site scripting (XSS) bugs in Microsoft Dynamics receiving patches. No new advisories were released this month.
Looking Ahead
The next Patch Tuesday of 2024 will be on March 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!