February Patch Tuesday corrects two Windows zero-days

Administrators should focus on quickly deploying a critical vulnerability in Microsoft Outlook and exercising caution when applying an Exchange Server 2019 cumulative update.

Admins who manage their organization's fleet of Windows systems will want to expedite fixes from February Patch Tuesday after Microsoft corrected two zero-days that affect both server and desktop machines.

This month, Microsoft addressed 73 new vulnerabilities and provided updates for seven older bugs. Five vulnerabilities were rated critical. In addition to the two zero-days, admins should consider a rapid deployment for a critical Exchange Server flaw and a critical Microsoft Outlook bug as well as mitigations for an older Windows AppX installer spoofing vulnerability.

Two Windows zero-days top the patching priority list

The cumulative update feature in Windows will resolve most of this month's vulnerabilities, including two flaws that were actively exploited.

The first zero-day is an Internet Shortcut Files security feature bypass vulnerability (CVE-2024-21412) rated important with a CVSS score of 8.1 that affects Windows desktop and server systems. An unauthenticated attacker could send the shortcut to a user who would have to open the malicious file to trigger the exploit, giving the attacker a way to avoid system security checks.

The second zero-day is a Windows SmartScreen security feature bypass vulnerability (CVE-2024-21351) rated moderate with a 7.6 CVSS score, affecting Windows server and desktop systems. An attacker must convince a user to open a malicious file to trigger the exploit to avoid the Mark of the Web zone identifier and circumvent SmartScreen protections in Microsoft Defender.

Chris Goettl, vice president of product management for security products, IvantiChris Goettl

Chris Goettl, vice president of product management for security products at Ivanti, said admins should consider this flaw a critical, not moderate, vulnerability because it was actively exploited before the Patch Tuesday security updates arrived.

"The [severity] assessments are static and don't take into account that this was reported to Microsoft because of a real-world attack," he said.

Microsoft delivers patch for critical Exchange Server vulnerability

Exchange Server, the on-premises email server and calendar system, returns to the patching spotlight with an elevation-of-privilege vulnerability (CVE-2024-21410) rated critical for Exchange 2016 and Exchange 2019 systems.

The CVE has one of the highest exploitability numbers for February Patch Tuesday with a CVSS score of 9.8. If exploited, the vulnerability can give system-level privileges to the attacker.

"If you have enabled NTLM credential relay protections, then a large chunk of the risk from this vulnerability is mitigated," Goettl said. "Microsoft says that doesn't mean you're safe, but it will make it a lot harder to be taken advantage of."

Microsoft released a cumulative update (CU) for Exchange 2019 but not for Exchange 2016. According to a Microsoft official on the Exchange Team blog, Exchange 2016 will not get a cumulative update, but enabling Extended Protection will mitigate this vulnerability.

Administrators should be aware that installing CU14 automatically enables Extended Protection on Exchange Server 2019 but does not verify the system is configured to run this safety feature.

"If your servers are not ready for using [Extended Protection] (for example, they use SSL offloading or there are mismatches between client and server TLS configuration), and you do not opt out of [Extended Protection] enablement during setup, it is possible that some functionality may break after installing CU14," the company wrote in a blog.

Older Windows vulnerability continues to resurface

On February Patch Tuesday, Microsoft reissued a Windows AppX installer spoofing vulnerability (CVE-2021-43890) rated important that was first published on Patch Tuesday in December 2021. An attacker could add malware to an attachment and convince the user to open it to trigger the exploit so the attacker can evade security measures and execute code on the system.

"Using social engineering to get a user to do what you want them to do is a statistics game, not an actual challenge," Goettl said. "With enough time and effort, and especially now with the craftiness threat actors have with generative AI, it's getting much easier."

While the AppX installer ships with Windows, it falls outside of the cumulative update model. If this system component is not updated, it could leave the organization open to an attack. Microsoft has issued three informational changes for this CVE since Dec. 7, 2023, providing additional information each time to protect Windows systems. Microsoft's CVE calls for admins to install the latest AppX installer, which disables the ms-appinstaller URI scheme handler, or to disable the ms-appinstaller protocol for organizations that cannot move to the latest version.

Other security updates of note for February Patch Tuesday

  • A Microsoft Outlook remote-code execution vulnerability (CVE-2024-21413) rated critical with a 9.8 CVSS score. The Outlook preview pane is an attack vector. The attacker can bypass protections on a vulnerable system via malicious link, which could let them access NTLM credential information on the exploited system.
  • A Windows Pragmatic General Multicast remote-code execution vulnerability (CVE-2024-21357) rated critical with a 7.5 CVSS score. Goettl said this vulnerability is concerning because attackers can target a large segment of your network and potentially adjacent segments without authentication, then move laterally across the environment with minimal effort.
  • A Windows Hyper-V DoS vulnerability (CVE-2024-20684) rated critical with a 6.5 CVSS score affecting Windows 11 and Windows Server 2022 systems. An attacker who exploits the flaw could disrupt the Hyper-V host's capabilities.

Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he writes and edits articles by technology experts. Walat previously worked for a Boston-area newspaper in several roles, including news editor and editorial systems manager.

Dig Deeper on IT operations and infrastructure management