Today is Microsoft's February 2024 Patch Tuesday, which includes security updates for 73 flaws and two actively exploited zero-days.

This Patch Tuesday fixes five critical vulnerabilities, including denial of service, Remote code execution, information disclosure, and elevation of privileges vulnerabilities.

The number of bugs in each vulnerability category is listed below: 

• 16 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 30 Remote Code Execution Vulnerabilities
• 5 Information Disclosure Vulnerabilities
• 9 Denial of Service Vulnerabilities
• 10 Spoofing Vulnerabilities

The total count of 73 flaws does not include 6 Microsoft Edge flaws fixed on February 8th and 1 Mariner flaw.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034765 cumulative update and the Windows 10 KB5034763 update.

Two zero-days fixed

This month's Patch Tuesday fixes two actively exploited zero-day vulnerabilities, which Microsoft classifies as a flaw that is publicly disclosed or actively exploited with no official fix available.

The two actively exploited zero-day vulnerabilities in today's updates are:

CVE-2024-21351 - Windows SmartScreen Security Feature Bypass Vulnerability

Microsoft has fixed an actively exploited Windows SmartScreen vulnerability that allows attackers to bypass SmartScreen security checks.

"An authorized attacker must send the user a malicious file and convince the user to open it," explains Microsoft.

"An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience," continued Microsoft. 

It is not known how the flaw was abused in attacks or by what threat actor.

The flaw was discovered by Eric Lawrence of Microsoft.

CVE-2024-21412 - Internet Shortcut Files Security Feature Bypass Vulnerability

Microsoft has fixed an actively exploited Internet Shortcut File flaw that could bypass Mark of the Web (MoTW) warnings in Windows.

"An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checksk," explains Microsoft.

"However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link."

Peter Girnus (gothburz) of Trend Micro's Zero Day Initiative, who discovered the flaw, released a report today on how it was actively exploited by the APT group DarkCasino (Water Hydra) in a campaign targeting financial traders.

Microsoft says that other researchers discovered the flaw independently, including dwbzn with Aura Information Security and Dima Lenz and Vlad Stolyarov of Google's Threat Analysis Group.

Microsoft has not provided details on how the CVE-2024-21351 flaw was exploited in attacks.

Recent updates from other companies

Other vendors who released updates or advisories in February 2023 include:

• Adobe has released security updates for Commerce, Substance 3D Painter, Acrobat and Reader, and more.
• Cisco released security updates for multiple products.
• ExpressVPN released a new version to remove the split-tunneling feature after it leaked DNS queries.
• Fortinet released security updates for a new FortiOS SSL VPN RCE, which is exploited in attacks, and two RCE flaws in FortiSIEM.
• Google released the Android February 2024 security updates.
• Ivanti released security updates for a new Connect Secure authentication bypass flaw.
• JetBrains released security updates for a new critical authentication bypass vulnerability in TeamCity On-Premises.
• Linux distros release patches for new Shim bootloader code execution flaw.
• Mastodon released a security update to fix a vulnerability that allows attackers to take over any remote account.
• SAP has released its February 2024 Patch Day updates.

The February 2024 Patch Tuesday Security Updates

To access the full description of each vulnerability and the systems it affects, you can view the full report here.