Summary
Recent security updates revealed the existence of two exploited zero-day vulnerabilities and six serious vulnerabilities in various Microsoft products. According to reports, these vulnerabilities could allow attackers to circumvent security measures, gain unauthorised access, and execute malicious code on vulnerable computers, resulting in additional attacks. As a result, Microsoft has released new security patches to fix the weaknesses, which include five critical vulnerabilities and numerous more. In light of the foregoing, users are encouraged to take immediate action to mitigate the threats.
Description & Consequence
The exploited zero-days are security feature bypass vulnerabilities (CVE-2024-21351 and CVE-2024-21412). To properly exploit both vulnerabilities, an unauthenticated attacker must entice or persuade a user to click on malicious files or links. As a result, the attacker would bypass SmartScreen safeguards and Microsoft Windows internet shortcut files before executing arbitrary code. This has the potential to expose data and cause system availability difficulties. Notably, Water Hydra (aka DarkCasino), an Advanced Persistent Threat (ATP) group, used CVE-2024-21412 to distribute the DarkMe trojan, which targets financial market participants.
In addition, (CVE-2024-21410 and CVE-2024-21413) with CVSS ratings of 9.8 were identified equally. The flaws which are cases of privilege escalation impacting the Exchange Server, allows an attacker to target an NTLM client such as Outlook email software in an NTLM credential-leaking attack. The leaked credentials are further relayed against the Exchange server to gain privileges as the victim or client, to perform operations on the victim's behalf. Furthermore, CVE-2024-21413 stems from the incorrect parsing of "file://" hyperlinks, which makes it possible to achieve code execution by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., "file:///\\10.10.111.111\test\test.rtf!something").This notwithstanding Microsoft has released patches to fix the aforementioned flaws, including others identified as follows:
- CVE-2024-20684 (CVSS score: 6.5) - Windows Hyper-V Denial of Service Vulnerability.
- CVE-2024-21357 (CVSS score: 7.5) - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability.
- CVE-2024-21380 (CVSS score: 8.0) - Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability.
Successful exploitation of these vulnerabilities could result in:
- Unauthorized access to systems as well as sensitive data.
- Execution of malicious codes.
- Information disclosure.
- Escalation of privileges.
- Financial losses.
Solution
The aforementioned vulnerabilities have been patched by security update released by Microsoft. Nonetheless, all Windows administrators are to promptly apply the security updates already pushed by Microsoft to protect against potential exploitation. Also, users should exercise caution when clicking on links from unknown sources and be vigilant about security warnings.
Reference
Revision
