[German]On February 13, 2024, Microsoft released security updates for Windows clients and servers, for Office – and for other products. The security updates eliminate 73 vulnerabilities (CVEs), two of which are 0-day vulnerabilities that are already being exploited. Below is a compact overview of the updates that were released on Patchday.
Advertising
Notes on the updates
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported since January 2020. Only customers with an ESU license for the 4th year (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows Server 2012 /R2 will receive regular security updates until October 2023. From this point onwards, an ESU license is also required to obtain further security updates (Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).
Fixed vulnerabilities
Tenable has published this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2024-21351: Windows SmartScreen Security Feature Bypass Vulnerability, CVEv3 Score 7.6, Moderate; An attacker could exploit this vulnerability by tricking a target into opening a malicious file. If successfully exploited, the SmartScreen security features would be bypassed. According to Microsoft, this vulnerability has already been exploited as a zero-day, although no exact details of the exploitation are currently known.
- CVE-2024-21412: Internet Shortcut Files Security Feature Bypass Vulnerability, CVEv3 Score 8.1, important; Bypassing the security feature in Internet shortcut files; To exploit this vulnerability, an attacker must convince the target to open a malicious Internet shortcut file using social engineering.
- CVE-2024-21410: Microsoft Exchange Server Elevation of Privilege vulnerability, CVEv3 Score 9.8, critical; a critical EoP vulnerability rated "Exploitation More Likely" according to the Microsoft Exploitability Index. Successful exploitation of this vulnerability would allow an attacker to pass a New Technology LAN Manager Version 2 (NTLMv2) hash against a vulnerable server. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to strengthen an attacker's position in an organization.According to Microsoft, Exchange Server 2019 Cumulative Update 14 and earlier does not have NTLM credential relay protection enabled by default. The Microsoft notice contains a link to a script to enable protection and recommends installing the latest cumulative update, even if the script to enable NTLM credential relay protection has already been executed.
- CVE-2024-21378: Microsoft Outlook Remote Code Execution vulnerability, CVEv3 Score 8.0, important; This vulnerability in Outlook is rated Exploitation More Likely; To exploit this vulnerability, an attacker would need to authenticate with LAN access and have a valid logon for an Exchange user. If the attacker meets these requirements, they must send their maliciously crafted file to a user and trick them into opening it. According to Microsoft, the preview window is an attack vector, i.e. the preview of a specially crafted file can trigger the vulnerability.
- CVE-2024-21338, CVE-2024-21345, CVE-2024-21371: Windows Kernel Elevation of Privilege vulnerabilities, CVEv3 Score 7.0 (CVE-2024-21345) – 8.0 (CVE-2024-21371), important; The vulnerability CVE-2024-21371 is classified as "Exploitation More Likely". An attacker could exploit this vulnerability as part of post-compromise activities to escalate privileges on SYSTEM.In addition to these EoP vulnerabilities, three other Windows kernel vulnerabilities were patched this month:
CVE-2024-21340 Windows kernel information disclosure vulnerability; CVEv3 Score 4.6
CVE-2024-21341 Remote code execution vulnerability in the Windows kernel; CVEv3 Score 6.8
CVE-2024-21362 Windows Kernel Security Feature Bypass Vulnerability; CVEv3 Score 5.5
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
Advertising
- .NET
- Azure Active Directory
- Azure Connected Machine Agent
- Azure DevOps
- Azure File Sync
- Azure Site Recovery
- Azure Stack
- Internet Shortcut Files
- Microsoft ActiveX
- Microsoft Azure Kubernetes Service
- Microsoft Defender for Endpoint
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Office
- Microsoft Office OneNote
- Microsoft Office Outlook
- Microsoft Office Word
- Microsoft Teams for Android
- Microsoft WDAC ODBC Driver
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows
- Microsoft Windows DNS
- Role: DNS Server
- SQL Server
- Skype for Business
- Trusted Compute Base
- Windows Hyper-V
- Windows Internet Connection Sharing (ICS)
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Message Queuing
- Windows OLE
- Windows SmartScreen
- Windows USB Serial Driver
- Windows Win32K – ICOMP
Similar articles:
Office: Project Update KB5002530 (February 6, 2024)
Microsoft Security Update Summary (February 13, 2024)
Patchday: Windows 10 Updates (February 13, 2024)
Patchday: Windows 11/Server 2022 Updates (February 13, 2024)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (February 13, 2024)
Microsoft Office Updates (February 13, 2024)
Exchange Server Cumulative Update CU 14 (February 13, 2024)
Warning about critical Outlook RCE vulnerability CVE-2024-21413
