This month, Microsoft released updates for 73 Microsoft issued CVEs as well as 6 non-Microsoft CVEs. While not mentioned in the release notes, there’s an additional CVE referenced within the Microsoft API -- CVE-2024-21626, a vulnerability resolved in CBL-Mariner, a Microsoft developed Linux distribution used as the base container OS in Azure. The commit for this Mariner vulnerability contains details on the vulnerability and how an attacker might exploit it. When all of these are factored in, that means we’re looking at a total of 80 CVEs that Enterprises may need to resolve.
There are two actively exploited (aka 0-day) vulnerabilities resolved by today’s updates. They include CVE-2024-21351, a bypass within the Windows SmartScreen security feature, and CVE-2024-21412, a bypass within an Internet Shortcut Files security feature. The fact that these are the two actively exploited vulnerabilities provides proof that user awareness training is more critical than ever. If you can keep your users from clicking potentially malicious files by training them not to click any files they weren’t expecting, you can limit the risk from vulnerabilities of this nature.
There are three CVSS 9.8 vulnerabilities resolved by today’s updates, two of which have also been rated as Critical by Microsoft. The biggest item here is likely Exchange (CVE-2024-21410), which introduces protections against NTLM relay attacks that are enabled by default. These protections existed previously but were disabled by default. Microsoft has released a blog post for Exchange admins that details considerations for implementing this fix because certain implementations may break when this feature is turned on. The other critical item affects Microsoft Outlook (CVE-2024-21413) and the Preview Pane is an attack vector. According to Microsoft, a malicious link could bypass the Protected View Protocol and leak NTLM credential information or lead to code execution.
The final CVE with a CVSS score of 9.8 is only rated Important but may be the most interesting vulnerability. While Exchange has the highest likelihood of severe impacts within organizations, this final CVE (CVE-2024-21401) likely requires coordination outside of Microsoft admin teams and could be very widespread. The vulnerability impacts the Entra (Azure AD) Jira SSO Plugin and could allow the attacker to change the authentication to their own tenant allowing for privilege escalation. This is interesting because Jira admins will need to update the plugin to resolve the vulnerability.
Click here for more Patch Tuesday analysis.
