Akamai’s Perspective on February’s Patch Tuesday 2024
A bouquet of roses is a lovely gift — but in our line of work, a patch is more welcome. As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched. Of the 73 CVEs this month, 5 are critical, but we also have 2 other CVEs that were seen exploited in the wild: CVE-2024-21351 in Windows SmartScreen and CVE-2024-21412 in Internet Shortcut files. Both vulnerabilities are security bypasses that allow attackers to bypass security checks that would alert users about accessing potentially malicious files.
In this blog post, we’ll assess how critical the vulnerabilities really are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Vulnerabilities exploited in the wild
CVE-2024-21351 — Windows SmartScreen (CVSS 7.6)
This is a security bypass vulnerability, which skips the SmartScreen security warning when opening potentially malicious files that were downloaded from the web. In that scenario, Windows SmartScreen is responsible for displaying a warning screen. The vulnerability requires the attacker to craft a file in a specific way that will cause Windows SmartScreen to fail to check the file and to therefore bypass the warning screen. According to the CVE notes, it is also possible to inject code into the SmartScreen process via this vulnerability.
This is not the first time SmartScreen bypass vulnerabilities have been actively exploited by threat actors. November 2023’s patch also included a fix for a bypass vulnerability that was reported as actively exploited.
CVE-2024-21412 — Internet Shortcut files (CVSS 8.1)
Internet Shortcut files are .url files that point to internet addresses. The vulnerability bypasses some security checks that should happen when double-clicking on those files, similar to the SmartScreen CVE above (in fact, the CVE in SmartScreen from November 2023 was specifically for Internet Shortcut files, and this CVE is a bypass of that patch). The Shortcut files have to be specifically crafted to trigger the vulnerability and the victim has to click on them for the vulnerability to trigger. It was used as part of a Water Hydra’s campaign. You can find more details about it in Peter Girnus’s post on the X platform, formerly known as Twitter, or in Trend Micro’s blog.
Windows Exchange Server and Microsoft Outlook
Although Exchange Server and Outlook are two separate products, they are so closely related (the former is the email server and the latter is the email client) that we decided to discuss them together. There were three CVEs patched in Outlook, one of them critical, and one other critical CVE in Exchange Server.
CVE-2024-21413 is a critical remote code execution vulnerability in Outlook, which (according to Microsoft’s notes) allows attackers to bypass Office Protected View and open documents in editing mode instead of read only. This could lead to bypassing security mechanisms and leaking credentials, which could then be used for remote code execution. This vulnerability was found by Haifei Li of Check Point Research, and you can read more about the vulnerability in this blog post.
CVE-2024-21410 is another critical remote code execution vulnerability, but in the Windows Exchange Server. The vulnerability requires that attackers achieve some sort of machine-in-the-middle channel to relay credentials to the Exchange Server and authenticate as the victim. The attackers could then do privileged actions on the victim’s behalf. Microsoft recommends enabling Extended Protection for authentication as a mitigation for the risk, but patching is also advised. In our observations, we’ve seen that 27% of enterprise networks had an on-prem Exchange server.
CVE number |
Component |
Effect |
Required access |
|---|---|---|---|
Windows Exchange Server |
Elevation of privilege |
Network |
|
Microsoft Outlook |
Remote code execution |
||
Elevation of privilege |
Local |
Windows OLE and ODBC
Windows OLE and ODBC are both API specifications that were designed to abstract away the connection between a data consumer and a data source. Whereas ODBC is older and procedural, OLE is newer, implemented using the Component Object Model (COM), and also supports nonrelational databases.
There were 18 CVEs patched this month, 16 related to OLE and 2 related to ODBC. All the CVEs are for remote code execution that targets the database client. Attackers have to lure victims to connect to a malicious database in their control, from which they can send specifically crafted packets to trigger remote code execution on the victim’s client. Almost all the CVEs have a CVSS score of 8.8.
Possible mitigation
The impact of all the vulnerabilities can be mitigated using segmentation. Creating an allowlist of known SQL servers in the organization will ensure that no connections are made to external unknown servers, thus preventing the attack chain described above.
CVE number |
Component |
|---|---|
Microsoft WDAC ODBC Driver |
|
Microsoft ODBC Driver |
|
Windows OLE |
|
Microsoft WDAC OLE DB provider for SQL server |
|
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Elevation of privilege |
Local |
||
Arbitrary code execution |
|||
Remote code execution |
Network |
||
Denial of service |
Network |
||
Denial of service |
Network |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.
