Virtual Administrator’s February Patch Recommendations
This month Microsoft released patches for 73 vulnerabilities with 5 rated “Critical” in severity.
All new patches will be approved in our patch policy. (Still deferring KB5034439/KB5034440/KB5034441 for Windows 10/11/Server 2022.)
A sizable number of patches this month. Three flaws are being actively exploited.
- CVE-2024-21412, a security feature bypass in the way Windows handles Internet Shortcut Files.
- CVE-2024-21351 a security feature bypass in the built-in Windows SmartScreen.
- CVE-2024-21410 is an elevation of privilege (EOP) bug in Microsoft Exchange Server that could disclose NTLM hashes. Exchange administrators should read the “Head Up” below for more information as the patch requires additional steps to ensure full protection. A Windows Hyper-V Denial of Service (DOS) vulnerability CVE-2024-20684 is patched.
- A few new SSUs for Windows Server 2008/2012/2016 and a new standalone for Windows 10 version 21H2/22H2 (KB5033052).
Disclosed: None
Exploited: CVE-2024-21351, CVE-2024-21410, CVE-2024-21412
Deferring KB5034439/KB5034440/KB5034441 – No fix yet from Microsoft.
Please read details on Microsoft’s recommendations to mitigate the failures. Keep in mind exploiting this vulnerability requires physical access to the machine. If the installation fails it will cause no other issues. It will simply keep showing up as a missing patch.
Windows Recovery Environment servicing failed (KB5034439/KB5034441/KB5034440)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666
Affected platforms: Windows 10/11/Server 2022
Symptom: Some computers might not have a recovery partition that is large enough to complete this update. Because of this, the update for WinRE might fail.
Workaround: Resize your partition to install the WinRE update.
Susan Bradley wrote a great article about this here: How to protect against BitLocker-bypassing vulnerabilities in Windows recovery partitions
Heads Up! Released: 2024 H1 Cumulative Update for Exchange Server
Configure Windows Extended Protection in Exchange Server
CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
FYI – Microsoft and its OEM partners plan to update Secure Boot on Windows Unified Extensible Firmware Interface (UEFI) machines in 2024.
“New DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024.”
Updating Microsoft Secure Boot keys
Security Update Guide
https://msrc.microsoft.com/update-guide/en-us
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:2/13/2024)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
Known Issues
Minor problems with some browsers on Server 2022. Error message with CU for Exchange Server 2019.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Chromium-based internet browsers, such as Microsoft Edge, might not open correctly.
Affected platforms: Windows Server 2022
Symptom: After you install KB5034129, chromium-based internet browsers, such as Microsoft Edge, might not open correctly. Browsers affected by this issue might display a white screen and become unresponsive when you open them.
Workaround: You can prevent this issue by removing certain keys related to Image File Execution Options in the Windows registry. (See above KB for details.)
Status: We are working on a resolution and will provide an update in an upcoming release.
CU for Exchange Server 2019
Cumulative Update 14 for Exchange Server 2019 (KB5035606)
Affected platforms: Exchange Server 2019
Symptom: When Setup.exe is used to run /PrepareAD, /PrepareSchema or /PrepareDomain, the installer reports that Extended Protection was configured by the installer, and it displays the following error message:
“Exchange Setup has enabled Extended Protection on all the virtual directories on this machine.”
Status: None
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5034819 – Windows Server 2012 R2 (ESU)
- KB5034830 – Windows Server 2012 (ESU)
- None – Windows Server 2008 R2 (ESU)
- None – Windows Server 2008 (ESU)
Security Only Update
- None – Windows Server 2012 R2 (ESU)
- None – Windows Server 2012 (ESU)
- None – Windows Server 2008 R2 (ESU)
- None – Windows Server 2008 (ESU)
Cumulative Updates
Windows 10
- KB5034774 – Original release version 1507 (OS Build 10240)
- KB5034767 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5034768 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5034763 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5034763 – Version 22H2 “November 2022 Update” (OS Build 19045)
(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5034766 – 21H2 (OS Build 22000) Original release
- KB5034765 – 22H2 (OS Build 22621)
- KB5034765 – 23H2 (OS Build 22631)
Windows Server
- KB5034767- Server 2016 (same KB as Windows 10 Version 1607)
- KB5034768 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5034770 – Server 2022 (OS Build 20348)
February 2024 updates for Microsoft Office
Notable CVEs
CVE-2024-20684 | Windows Hyper-V Denial of Service Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20684
Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host – affects Windows 11 and Windows Server 2022 machines.
CVE-2024-21338, CVE-2024-21345 and CVE-2024-21371 | Windows Kernel Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21338
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21345
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21371
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
CVE-2024-21357 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21357
Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. Windows Pragmatic General Multicast (PGM) produces multicast traffic that runs on layer 4 and is routable. Therefore this vulnerability can be exploited over the network. An attacker could exploit this vulnerability by sending specially crafted malicious traffic directed at a vulnerable server.
CVE-2024-21351 | Windows SmartScreen Security Feature Bypass Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21351
An authorized attacker must send the user a malicious file and convince the user to open it. An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both.
CVE-2024-21410 | Microsoft Exchange Server Elevation of Privilege Vulnerability (KB5035606)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. An attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user.
CVE-2024-21412 | Internet Shortcut Files Security Feature Bypass Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412
An attacker must send the user a malicious file and convince them to open it. An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability (KB5002467,KB5002519,KB5002522,KB5002537,Click to Run)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413
Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.
