February’s Patch Tuesday Update patches 73 vulnerabilities across Microsoft’s products, higher than the 49 seen in January. This release patches 5 critical, 66 important, and 2 moderate vulnerabilities with zero publicly disclosed and 2 exploited in the wild.
A critical vulnerability in Microsoft Office allows an attacker to bypass the Office Protected View and open documents in editing mode. This is done by crafting a malicious link that bypasses the Protected View Protocol, which leads to the leaking of local NTLM credential information and allows for remote code execution. Successfully exploiting this vulnerability could allow an attacker to gain elevated privileges, including read, write, and delete functionality. The preview pane is a known attack vector for this attack as the document only needs to be previewed for the exploit to run.
Windows PGM is a multicast protocol implementation in Windows, often referred to as reliable multicast. Information surrounding this vulnerability is limited, Microsoft has noted that this attack is restricted to systems connected to the same network segment as the attacker. If successfully exploited a remote attacker could execute arbitrary code on the target system. A patch for this vulnerability is even provided for Windows Server 2008 which is end of life.
A critical elevation of privilege vulnerability affecting Exchange servers has been patched this month. The vulnerability could allow an attacker to target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.
Before the Exchange Server 2019 Cumulative Update 14, Exchange Server did not enable NTLM credentials Relay Protections by default. Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets.
This critical vulnerability is related to Windows Hyper-V, a hardware virtualisation service created by Microsoft. Not much is known about this vulnerability other than successful exploitation may allow a Hyper-V guest to affect the functionality of the Hyper-V host. It’s likely Microsoft hasn’t released any more information about this vulnerability to protect customers using Hyper-V.
Microsoft has patched a security feature bypass for Windows SmartScreen that is actively being exploited in the wild. An authorized attacker must send the user a malicious file and convince them to open it. Successful exploitation by a malicious actor injecting code into SmartScreen and gaining code execution could lead to some data exposure, lack of system availability, or both.
This important vulnerability is being actively exploited in the wild. This vulnerability allows an unauthenticated attacker to send a user a specially crafted file that is designed to bypass displayed security checks. However, successful exploitation requires the attacker would have to convince the user to open the malicious shortcut.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Feb
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.