The February 2024 Security Update Review

February 12, 2024 | Dustin Childs

It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:

If you’d rather watch the full video recap covering the entire release, you can check out here:

Adobe Patches for February 2024

For February, Adobe released six patches addressing 29 CVEs in Adobe Acrobat and Reader, Commerce, Substance 3D Painter, FrameMaker Publishing Server, Audition, and Substance 3D Designer. A total of four of these bugs were reported through the ZDI program. If you need to prioritize, I would suggest starting with the update for Acrobat and Reader. The patch fixes five Critical-rated arbitrary code execution bugs that are often used in phishing and ransomware campaigns. The fix for Commerce also has a couple of Critical-rated code execution bugs being addressed. Considering this is an aptly named commerce platform, rolling patches quickly here also makes sense.

The updates for Substance 3D Painter and Substance 3D Designer address nine and one bug respectively. The most severe of these would result in arbitrary code execution, but they also require user interaction – something like opening a specially crafted file or browsing to a malicious URL. The patch for the FrameMaker Publishing Server (not to be confused with FrameMaker itself) fixes a security feature bypass (SFB) that’s rated at a CVSS 9.8. Although not specifically stated, that reads like either a complete authentication bypass or hard-coded credentials. The final patch for Adobe Audition corrects a single heap-based buffer overflow that could lead to arbitrary code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2024

This month, Microsoft released 72 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 78. Two of these bugs were reported through the ZDI program, including one of the bugs under active attack.

Of the new patches released today, five are rated Critical, 65 are rated Important, and two are rated Moderate in severity. This is a relatively typical volume of fixes for a February release, and so far, the number of fixes from Adobe and Microsoft is lower than last year over the same time. It will be interesting to see if this trend continues throughout 2024.

Two of these CVEs are listed as under active attack at the time of release, although neither is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the discovery made by the ZDI Threat Hunting team:

-       CVE-2024-21412 – Internet Shortcut Files Security Feature Bypass Vulnerability
This is the bug found by Peter Girnus and the rest of the ZDI Threat Hunting team. I won’t go into great detail about the technical aspects of the bug because my colleagues at Trend Micro Research have already done that here. The video above also provides some context and a demonstration of the vulnerability. This bug is currently targeting forex traders with a remote access trojan through forum posts and responses, but we expect it to spread now that it is publicly known. Trend Micro customers are already protected by various filters and virtual patches, but everyone else should test and deploy this fix as soon as possible.

-       CVE-2024-21351 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the other actively exploited bug being patched this month, and it appears to be very similar to the previous ITW exploit. Windows uses Mark-of-the-Web (MotW) to distinguish files that originate from an untrusted location. SmartScreen bypasses in Windows Defender allow attackers to evade this inspection and run code in the background. Microsoft does not indicate how widespread these attacks may be but you should expect exploits to increase as threat actors add this to their toolkits. Again, test and deploy this update quickly.

-       CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability
*Note: On February 14, Microsoft updated their advisory to indicate this bug is being actively exploited in the wild
It’s been a minute since we’ve had an Exchange Server patch, and this vulnerability doesn’t disappoint with a CVSS rating of 9.8. A remote, unauthenticated attacker could use this bug to relay NTLM credentials and impersonate other users on the Exchange server. Patching won’t be straightforward either – if there is such a thing as a straightforward patch for Exchange Server. You’ll need to make sure to install the Exchange Server 2019 Cumulative Update 14 (CU14) update and ensure the Extended Protection for Authentication (EPA) feature is enabled. Microsoft has provided this article with additional information for Exchange administrators.

-       CVE-2024-21413 – Microsoft Outlook Remote Code Execution Vulnerability
*Note: On February 14, Microsoft updated their advisory to indicate this bug is being actively exploited in the wild - then they changed the bulletin again and said it wasn’t

This is an intriguing bug that allows an attacker to bypass the Office Protected View and open a file in editing mode rather than protected mode. Not only does this somehow allow code execution to occur, but it could also occur in the Preview Pane. This vulnerability also rates a CVSS of 9.8, so the severity isn’t being overstated. Also, users of the 32- and 64-bit versions of Office 2016 will need to install multiple updates to fully address this vulnerability. Be sure to close all running Office apps when installing these fixes to help avoid a reboot, which is listed as a “Maybe” for the Office 2016 patches.

Here’s the full list of CVEs released by Microsoft for February 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability Important 8.1 No Yes SFB
CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability Moderate 7.6 No Yes SFB
CVE-2024-21410 † Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 9.8 No Yes EoP
CVE-2024-21413 † Microsoft Outlook Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability Critical 8 No No Info
CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2024-21386 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21404 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21329 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-20667 Azure DevOps Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-20679 Azure Stack Hub Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-21394 Dynamics 365 Field Service Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21396 Dynamics 365 Sales Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21328 Dynamics 365 Sales Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21348 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21349 Microsoft ActiveX Data Objects Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21381 † Microsoft Azure Active Directory B2C Spoofing Vulnerability Important 6.8 No No Spoofing
CVE-2024-21397 Microsoft Azure File Sync Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2024-21403 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2024-21376 † Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2024-21315 Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21395 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 8.2 No No XSS
CVE-2024-21389 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21393 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21327 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21401 † Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2024-21354 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21355 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21405 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21363 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21347 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-21384 Microsoft Office OneNote Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20673 † Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21402 Microsoft Outlook Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2024-21378 Microsoft Outlook Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-21374 Microsoft Teams for Android Information Disclosure Important 5 No No Info
CVE-2024-21353 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21350 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21352 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21358 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21360 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21361 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21366 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21369 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21375 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21420 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21359 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21365 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21367 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21368 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21370 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21391 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21379 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-50387 * MITRE: CVE-2023-50387 DNS RRSIGs and DNSKEYs validation can be abused to remotely consume DNS server resources Important N/A No No DoS
CVE-2024-20695 Skype for Business Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-21304 Trusted Compute Base Security Feature Bypass Vulnerability Important 4.1 No No SFB
CVE-2024-21346 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21406 Windows Device Metadata Retrieval Client (DMRC) Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-21342 Windows DNS Client Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21377 Windows DNS Information Disclosure Vulnerability Important 7.1 No No Info
CVE-2024-21345 Windows Kernel Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21371 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21340 Windows Kernel Information Disclosure Vulnerability Important 4.6 No No Info
CVE-2024-21341 Windows Kernel Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-21362 Windows Kernel Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2024-21356 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-21343 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2024-21344 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2024-21372 Windows OLE Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21339 Windows USB Generic Parent Driver Remote Code Execution Vulnerability Important 6.4 No No RCE
CVE-2024-21364 Microsoft Azure Site Recovery Elevation of Privilege Vulnerability Moderate 9.3 No No EoP
CVE-2024-21399 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 8.3 No No RCE
CVE-2024-1059 * Chromium: CVE-2024-1059 Use after free in WebRTC High N/A No No RCE
CVE-2024-1060 * Chromium: CVE-2024-1060 Use after free in Canvas High N/A No No RCE
CVE-2024-1077 * Chromium: CVE-2024-1077 Use after free in Network High N/A No No RCE
CVE-2024-1283 * Chromium: CVE-2024-1283: Heap buffer overflow in Skia High N/A No No RCE
CVE-2024-1284 * Chromium: CVE-2024-1284: Use after free in Mojo High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Looking at the remaining Critical-rated bugs, the fix for Dynamics Business Central stands out as it could lead to a threat actor accessing other tenants’ applications and content. The attacker must be authenticated, but successful exploitation would grant them read, write, and delete functionality. You don’t see Critical-rated DoS bugs often, but the patch for Hyper-V deserves the rating as a guest OS could impact the Hyper-V host. The vulnerability in Pragmatic General Multicast (PGM) is serious but less likely to be exploited as it requires the attacker to be network adjacent. Multicast messages aren’t routable beyond a single network segment.

Moving on to the other code execution bugs, SQL clients are having a moment with 18 different patches. Thankfully, each of these bugs requires an affected client to connect to a malicious SQL Server, so practical exploitation is unlikely without significant social engineering. It’s the same scenario for the bug in ActiveX, too. The more concerning bugs are in Word and Outlook and have the Preview Pane as an attack vector. Word bugs are typically open-and-own, but having one that hits in the Preview Pane is definitely a rarity. The other RCEs in Office components are more traditional, but CVE-2024-20673 also requires users of the 32- and 64-bit versions of Office 2016 to install multiple updates to be protected. Speaking of extra steps, there are additional actions required to address the bug in the Azure Kubernetes Service. As stated by Microsoft in the bulletin:


Customers who do not have az confcom installed can install the latest version by executing az extension add -n confcom. Customers who are running versions prior to 0.3.3 need to update by executing az extension update -n confcom. For more information, see https://learn.microsoft.com/en-us/cli/azure/extension?view=azure-cli-latest#az-extension-update and Confidential computing plugin for Confidential VMs.


The bug in Azure DevOps requires attackers to have Queue Build permissions. The bug in Microsoft Message Queuing (MSMQ) is written as an “open and own” style bug. This could mean opening an application that uses MSMQ could trigger the bug, but it’s not clear. It’s also not clear how an attacker would get RCE through the USB driver or Windows kernel. One can assume plugging in a malicious USB drive for the former, but the latter is definitely more opaque. Kernel bugs tend to either be privilege escalations or info disclosures. Maybe this is something through SMB?

There are a total of 14 different elevation of privilege (EoP) patches in this month’s release, and most simply result in an authenticated attacker executing code at SYSTEM on a target. There are some notable exceptions, starting with the CVSS 9.8 bug in Entra Jira SSO plugin. A remote, unauthenticated attacker could fully update Entra ID SAML metadata and info for the plugin. The attacker could then change the authentication of the application to their tenant as needed. Patching this requires the admin to download and install version 1.1.2 of the plugin either from the Microsoft Download Center or from Atlassian Marketplace. You also need to take the same steps to address the bug in the Azure Kubernetes Service as are listed above. The escalation in Azure File Sync allows attackers to create files in directories where they shouldn’t have access. They wouldn’t be able to modify or delete existing files. The Moderate-rated (yet somehow CVSS 9.3) bug in Azure Site Recovery could allow an attacker to obtain the MySQL root password – allowing even further compromise. Not sure how that ended up as “Moderate”, but I would treat it as critical if you are running Azure Site Recovery. Finally, the privilege escalation in Outlook simply yields code execution at the level of the user running the application.

There are only a few information disclosure bugs receiving fixes in this month’s release. The bugs in the Windows kernel and DNS server only result in info leaks consisting of unspecified memory contents. The vulnerability in Skype for Business (remember it?) would allow an attacker to view file contents. Microsoft doesn’t specify what information can be disclosed by the bug in Teams for Android, but they do note user interaction is required. You’ll also need to get the update directly from the Android Play Store to be protected from this vulnerability.

In addition to the two I’ve already mentioned, there are two additional SFB patches released this month. The SFB in the kernel allows attackers to bypass the Windows Code Integrity Guard (CIG). The final SFB in Trusted Compute Base could allow some to bypass – you guessed it – secure boot.

In addition to those already documented, the February release includes fixes for just over a half dozen denial-of-service (DoS) bugs. However, Microsoft provides no real information or details for them. If I were to guess, I would put the DNS and LDAP bugs at the top of my severity rankings due to their role in the enterprise.

This month’s release also includes six fixes for spoofing bugs. Three of these are in Dynamics 365 and would allow an attacker to modify the content of a link on an affected system to redirect the victim to a malicious site. There’s a fix for the Device Metadata Retrieval Client (DMRC) that fixes a vulnerability triggered when a remote attacker sends a specially crafted packet to an affected system. The final two spoofing bugs are both in Azure. The bug in Azure Stack Hub requires a user to click on a link. The bug in Azure Active Directory requires an attack to intercept traffic (MitM), but servicing goes beyond just installing a patch. Microsoft rolled out a fix already that includes Proof Key for Code Exchange (PKCE) as outlined here. However, not all customers may have received the update. If you were notified directly via Azure Service Health Alerts under Tracking ID: XXXXXX, you will need to take additional actions.

Finally, there are four cross-site scripting (XSS) bugs in Microsoft Dynamics receiving patches. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2024 will be on March 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!