Microsoft followed up one of the lightest recent Patch Tuesdays in January with a large release of vulnerabilities on Tuesday, although still far from numbers seen in the past. 

In all, February’s security update from Microsoft includes 75 vulnerabilities, three of which are considered critical. There are 69 “important” vulnerabilities, according to Microsoft, and three that are of “moderate” severity.

Although considered of moderate risk, one of the vulnerabilities is being actively exploited in the wild — CVE-2024-21351, a security feature bypass vulnerability in Windows SmartScreen. “Smart screen” protects users from malicious websites and files downloaded from the internet. Exploiting this vulnerability may allow a user to be tricked into downloading and executing a file from the internet without the traditional SmartScreen protections. There were no zero-day vulnerabilities disclosed in last month’s Patch Tuesday.

Of the three critical vulnerabilities, one (CVE-2024-20684) could allow an attacker that controls a Hyper-V guest to cause a denial-of-service attack on the host and, as a consequence, to all other guests of the same host.

CVE-2024-21357 is another critical remote code execution vulnerability in a multicast network protocol called Windows Pragmatic General Multicast. The vulnerability could, in theory, allow an attacker on the same network to execute code on other systems on that network. Microsoft considers the vulnerability exploitation complex, however, the company does list it as “more likely” to be exploited.

The third critical vulnerability (CVE-2024-21380) is an information disclosure vulnerability in Microsoft Dynamics Business Central/NAV. According to Microsoft, the exploitation of this attack requires user interaction, and the attacker must first win a race condition. Therefore, it’s considered to be a more complex attack and “less likely” to be exploited.

Cisco Talos would also like to highlight CVE-2024-21378, a remote code execution vulnerability in Microsoft Outlook. However, according to the advisory, this requires the attacker to be on the same network as the targeted machine and trick the victim into opening a specially crafted file or email.

CVE-2024-21379 is also a remote code execution vulnerability, this time in Microsoft Word. Exploiting this vulnerability requires an attacker to send to a victim a specially crafted Word document that, when opened, would allow remote code execution in the victim’s system.

The advisory contains 26 other remote code execution vulnerabilities that are considered “less likely” to be exploited. A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63000 - 63001, 63004, 63005, 62992 - 62994, 62998 and 62999. There are also Snort 3 rules 300822 - 300826.