Microsoft fixes two zero-days with Patch Tuesday release

Microsoft on Tuesday released 73 updates in its monthly Patch Tuesday release, addressing issues in Microsoft Exchange Server and Adobe and two zero-day flaws being actively exploited in Microsoft Outlook (CVE-2024-21410) and Microsoft Exchange (CVE-2024-21413).

Including the recent reports that the Windows SmartScreen vulnerability (CVE-2024-21351) is under active exploitation, we have added “Patch Now” schedules to Microsoft Office, Windows and Exchange Server. The team at Readiness has provided this detailed infographic outlining the risks associated with each of the updates for this cycle.

Known issues

Microsoft publishes a list of known issues related to the operating system and platforms included each month.

  • Windows devices using more than one monitor might (still) experience issues with desktop icons moving unexpectedly between monitors or other icon alignment issues when attempting to use Windows Copilot. Microsoft is still working on this issue.
  • After you install KB5034129, chromium-based internet browsers such as Microsoft Edge might not open correctly. Affected browsers might display a white screen and become unresponsive when opened. (This is probably an issue mainly affecting developers using several browsers on the same system.)  Microsoft is working on a fix. We expect an update in the next Edge update.

There is a significant issue with the current release of Microsoft Exchange Server, which is detailed below in the Exchange Server section.

Major revisions

We have seen three waves of CVE vulnerability revisions from Microsoft (so far) this month — which in itself is unusual — made all the more so by the volume of updates in such a short time. That said, all the revisions were due to mistakes in the publication process; no additional action is required for the following:

  • CVE-2021-43890: Windows AppX Installer Spoofing Vulnerability. Microsoft has updated the FAQs and added clarifying information to the mitigation. This is an informational change only.
  • CVE-2023-36019: Microsoft Power Platform Connector Spoofing Vulnerability. Updated the mitigation to inform customers with existing OAuth 2.0 connectors that the connectors must be updated to use a per-connector redirect URL by March 29. This is an informational change only.
  • CVE-2024-0056, CVE-2024-0057, CVE-2024-0057, CVE-2024-20677 and CVE-2024-21312: These were updated to resolve broken link issues. No further action required.

Contrary to current documentation from Microsoft, there are two revisions that do require attention: CVE-2024-21410 and CVE-2024-21413. Both reported vulnerabilities are “Preview Pane” critical updates from Microsoft that affect Microsoft Outlook and Exchange Server. Though the Microsoft Security Response Center (MSRC) says these vulnerabilities are not under active exploitation, there are severalpublished reports of active exploitation

.

Note: this is a serious combination of Microsoft Exchange and Outlook security issues.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this month’s release cycle:

We have placed the GPO setting AllowAllTrustedAppToInstall in quotes, as we don’t believe it exists (or the documentation has been removed/deleted). This may be (another) documentation issue.

Each month, the team at Readiness provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations. For this February release, we have grouped the critical updates and required testing efforts into functional areas, including:

Security

  • AppLocker: Test basic functionality of AppLocker, including deploying AppLocker policies.
  • Secure Launch has been updated. Administrators can ensure that Secure Launch is working through the Microsoft utilityEXE.

Networking

  • DNS has been updated for all Windows platforms, including changes to RRSIG and DNSKEY (used to decrypt/validate hash records). Microsoft has offered guidance on securing/validating DNS responses for Windows Server here and provided syntax and examples to test out DNS query resolutions.
  • RPC clients for internal applications will require a full end-to-end test cycle.
  • Internet Shortcuts have been updated and will require testing on both online trusted and untrusted sources.
  • Internet Connection Sharing (ICS) will also require tests run on both host and client machines.

Developers and development tools

  • Microsoft updated the core component Microsoft Message Queue (MSMQ) which will affect Message Queue Services, its related Routing service and DCOM proxy. Testing must include online browsing and video/audio streaming for any affected app.
  • SQL OLEDB has been updated, requiring database administrators to check their database connections and basic SQL commands.

Microsoft Office

  • Due to the changes to Adobe Reader and the PDF file format this month, Microsoft Word users should include a test to open, save, and print PDF files.
  • Outlook users should test opening mail and calendar items with an additional test of opening a backup Outlook data file.

Also, this month, Microsoft added a new feature to the Microsoft .NET CORE offering with SignalR. Microsoft explains: 

“ASP.NET SignalR is a library for ASP.NET developers that simplifies the process of adding real-time web functionality to applications. Real-time web functionality is the ability to have server code push content to connected clients instantly as it becomes available, rather than having the server wait for a client to request new data.”

You can find documentation on getting started with SignalR here.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for line-of-business apps, getting the application owner (doing UAT) to test and approve the results is still essential.

Windows lifecycle update

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange Server;
  • Microsoft development platforms (NET Core, .NET Core and Chakra Core);
  • Adobe (or, if you get this far).

Browsers

Microsoft released three minor updates to the Chromium-based Edge (CVE-2024-1283, CVE-2024-1284, and CVE-2024-1059) and updated the following reported vulnerabilities:

  • CVE-2024-1060: Chromium: CVE-2024-1060 Use after free in Canvas
  • CVE-2024-1077: Chromium: CVE-2024-1077 Use after free in Network
  • CVE-2024-21399: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

All these updates should have minor to negligible impact on applications that integrate and operate on Chromium. Add them to your standard patch release schedule.

Windows

Microsoft released two critical updates (CVE-2024-21357 and CVE-2024-20684) and 41 patches rated as important for Windows that cover the following components:

  • Windows ActiveX and WDAC OLE DB Provider;
  • Windows Defender;
  • Windows Internet Connection Sharing;
  • Windows Hyper-V;
  • Windows Kernel.

The real worry this month is the Windows SmartScreen (CVE-2024-21351) update, which has been reportedly exploited in the wild. Due to this rapidly emerging threat, add this update to your Windows “Patch Now” release schedule.

Microsoft Office

Microsoft released a single critical update (CVE-2024-21413) and seven patches rated as important for the Microsoft Office productivity suite. The real concern is older versions of Microsoft Office (2016, in particular). If you are running these older versions, you will need to add these updates to your Patch Now schedule.

All modern versions of Microsoft Office can add these February updates to their standard release schedule.

Microsoft Exchange Server

Microsoft released a single update for Microsoft Exchange server, with CVE-2024-21410 rated critical. This update will require a reboot to the target server(s). In addition, Microsoft offered this advice when patching your servers:

“When Setup.exe is used to run /PrepareAD, /PrepareSchema or /PrepareDomain, the installer reports that Extended Protection was configured by the installer, and it displays the following error message: ‘Exchange Setup has enabled Extended Protection on all the virtual directories on this machine.'”

Microsoft offers “Extended Protection” as a series of documents and scripts to help secure your Exchange server. In addition, Microsoft published Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 to help with managing the attack service of this serious vulnerability. Add this to your “Patch Now” schedule.

Microsoft development platforms

Microsoft released three updates (CVE-2024-20667, CVE-2024-21386 and CVE-2024-21404) affecting the .NET platform as well as Visual Studio 2022. These updates are expected to have minimal impact on app deployments. Add them to your standard developer release schedule.

Adobe Reader (if you get this far)

Adobe Reader updates are back this month (year) with the release of APSB 24-07, a priority three update for both Adobe Reader and Reader DC. Adobe notes that this vulnerability could lead to remote code execution, denial of service, and memory leaks. There are also some documented uninstall issues with Adobe Reader, which might cause deployment headaches. All this is enough to add this Adobe to our “Patch Now” schedule.