Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “Water Hydra,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi) that in turn unloads a remote access trojan (RAT) onto infected Windows systems.
The other zero-day flaw is CVE-2024-21351, another security feature bypass — this one in the built-in Windows SmartScreen component that tries to screen out potentially malicious files downloaded from the Web. Kevin Breen at Immersive Labs says it’s important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation, and instead would likely be used in conjunction with something like a spear phishing attack that delivers a malicious file.
Satnam Narang, senior staff research engineer at Tenable, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.
Narang called special attention to CVE-2024-21410, an “elevation of privilege” bug in Microsoft Exchange Server that Microsoft says is likely to be exploited by attackers. Attacks on this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.
“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers,” Narang said. “A Russian-based threat actor leveraged a similar vulnerability to carry out attacks – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.”
Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14 (CU14), a security feature called Extended Protection for Authentication (EPA), which provides NTLM credential relay protections, was not enabled by default.
“Going forward, CU14 enables this by default on Exchange servers, which is why it is important to upgrade,” Narang said.
Rapid7’s lead software engineer Adam Barnett highlighted CVE-2024-21413, a critical remote code execution bug in Microsoft Office that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.
“Microsoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources,” Barnett said. “CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file.”
Barnett stressed that administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update knowledge base (KB) articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.
It’s a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.
For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.
Has Microsoft addressed the installation issues with KB5034441?
Funny, on one Enterprise 10 laptop, KB5034441 is still trying to install and still failing. However on another Enterprise 10 laptop, it doesn’t show. Go figure. Same network, Enterprise 10 Version, OS Build, and Experience Pack though the motherboard is significantly different between the two (Dell vs. HP).
Similar experience. I have two different brands of Windows 10 laptops – Toshiba updated, Dell still doesn’t after yesterday’s updates.
I got “Download error – 0x80070643” again on one machine, and “Failed to install” on another (both Windows 10)
I got “Download error – 0x80070643” again on one machine, and “Failed to install” on another (both Windows 10).
Great reporting Mr.Krebs
Thanks for information
Same Here: Win10 Desktop… ERROR (0x80070643)
“0x80070643 – ERROR_INSTALL_FAILURE”
Workaround: It might be necessary to increase the size of the WinRE partition in order to avoid this issue and complete the installation. Note that 250 megabytes of free space is required in the recovery partition. Guidance to change the WinRE partition size can be found in KB5028997: Instructions to manually resize your partition to install the WinRE update.
Next steps: (MS) We are working on a resolution and will provide an update in an upcoming release.
Affected platforms:
Client: Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2
Server: Windows Server 2022
Caveat: Microsoft assumes the Recovery partition is situated next to the OS partition. That’s not necessarily the case in many systems. So, a different approach has to be followed on systems where the Recovery partition is not located near the OS partition. In that case, please start a new thread and seek the assistance of an advisor or volunteer moderator.
On and on and on. There will be no security online until the top officials of each company are personally financially responsible for these failures to the customers of these systems.
There is no way to win at whack a mole, especially when idiots leave the front door open.
I don’t think these issues is really a software ones. It is the decision to make ease of use paramount, rather than making security paramount. This probably implies less direct interconnection of functions which means a slowing down of these systems. Building silos is probably better than building gigantic computer buildings that intruders can wander around in and easily escape detection.
what do you mean?
sometime after February 15-18, it is impossible to run .msi on all machines.
What open doors are you talking about ?
I see that they cut off all the ways to run something on the machine, name me at least one initial access point at the moment.
I don’t see any.
thanks for this information.
Satnam Narang, senior staff research engineer at Tenable, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.
REALLY?! This will NEVER end. Thanks Micro$oft……bastards……
Frankly, I can’t believe people still use MSFT’s junk OS. Their productivity software is good, but not good enough to justify having to put up with Windows.
And at this point it has to be plain old cultural intertia. Frankly Libreoffice just doesn’t lag MS Office enough to pay for the latter, nevermind the security holes.