Virtual Administrator’s February Patch Recommendations

Patch Recommendations

This month Microsoft released patches for 73 vulnerabilities with 5 rated “Critical” in severity.

All new patches will be approved in our patch policy. (Still deferring KB5034439/KB5034440/KB5034441 for Windows 10/11/Server 2022.)

A sizable number of patches this month. Three flaws are being actively exploited.

  • CVE-2024-21412, a security feature bypass in the way Windows handles Internet Shortcut Files.
  • CVE-2024-21351 a security feature bypass in the built-in Windows SmartScreen.
  • CVE-2024-21410 is an elevation of privilege (EOP) bug in Microsoft Exchange Server that could disclose NTLM hashes. Exchange administrators should read the “Head Up” below for more information as the patch requires additional steps to ensure full protection. A Windows Hyper-V Denial of Service (DOS) vulnerability CVE-2024-20684 is patched.
  • A few new SSUs for Windows Server 2008/2012/2016 and a new standalone for Windows 10 version 21H2/22H2 (KB5033052).

Disclosed: None

Exploited: CVE-2024-21351, CVE-2024-21410, CVE-2024-21412

Deferring KB5034439/KB5034440/KB5034441 – No fix yet from Microsoft.

Please read details on Microsoft’s recommendations to mitigate the failures. Keep in mind exploiting this vulnerability requires physical access to the machine. If the installation fails it will cause no other issues. It will simply keep showing up as a missing patch.

Windows Recovery Environment servicing failed (KB5034439/KB5034441/KB5034440)

https://support.microsoft.com/en-us/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666

Affected platforms: Windows 10/11/Server 2022

Symptom: Some computers might not have a recovery partition that is large enough to complete this update. Because of this, the update for WinRE might fail.

Workaround: Resize your partition to install the WinRE update.

Susan Bradley wrote a great article about this here: How to protect against BitLocker-bypassing vulnerabilities in Windows recovery partitions

Heads Up! Released: 2024 H1 Cumulative Update for Exchange Server

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2024-h1-cumulative-update-for-exchange-server/ba-p/4047506

Configure Windows Extended Protection in Exchange Server

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection?view=exchserver-2019

CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410

FYI – Microsoft and its OEM partners plan to update Secure Boot on Windows Unified Extensible Firmware Interface (UEFI)  machines in 2024.

“New DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024.”

Updating Microsoft Secure Boot keys

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/4055324

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:2/13/2024)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

Known Issues

Minor problems with some browsers on Server 2022. Error message with CU for Exchange Server 2019.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

Chromium-based internet browsers, such as Microsoft Edge, might not open correctly.

https://support.microsoft.com/en-us/topic/january-9-2024-kb5034129-os-build-20348-2227-6958a36f-efaf-4ef5-a576-c5931072a89a

Affected platforms: Windows Server 2022

Symptom: After you install KB5034129, chromium-based internet browsers, such as Microsoft Edge, might not open correctly. Browsers affected by this issue might display a white screen and become unresponsive when you open them.

Workaround: You can prevent this issue by removing certain keys related to Image File Execution Options in the Windows registry.  (See above KB for details.)

Status:  We are working on a resolution and will provide an update in an upcoming release.

CU for Exchange Server 2019

Cumulative Update 14 for Exchange Server 2019 (KB5035606)

https://support.microsoft.com/en-us/topic/cumulative-update-14-for-exchange-server-2019-kb5035606-5d08ad6d-3527-41c9-82b6-e19d3ddf94db

Affected platforms: Exchange Server 2019

Symptom: When Setup.exe is used to run /PrepareAD, /PrepareSchema or /PrepareDomain, the installer reports that Extended Protection was configured by the installer, and it displays the following error message:

“Exchange Setup has enabled Extended Protection on all the virtual directories on this machine.”

Status:  None

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

  • KB5034819 – Windows Server 2012 R2 (ESU)
  • KB5034830 – Windows Server 2012 (ESU)
  • None – Windows Server 2008 R2 (ESU)
  • None – Windows Server 2008 (ESU)

Security Only Update

  • None – Windows Server 2012 R2 (ESU)
  • None – Windows Server 2012 (ESU)
  • None – Windows Server 2008 R2 (ESU)
  • None – Windows Server 2008 (ESU)

Cumulative Updates

Windows 10

  • KB5034774 – Original release version 1507 (OS Build 10240)
  • KB5034767 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5034768 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5034763 – Version 21H2 “November 2021 Update” (OS Build 19044)
  • KB5034763 – Version 22H2 “November 2022 Update” (OS Build 19045)

(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

Windows 11

  • KB5034766 – 21H2 (OS Build 22000) Original release
  • KB5034765 – 22H2 (OS Build 22621)
  • KB5034765 – 23H2 (OS Build 22631)

Windows Server

  • KB5034767- Server 2016 (same KB as Windows 10 Version 1607)
  • KB5034768 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5034770 – Server 2022 (OS Build 20348)

February 2024 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/february-2024-updates-for-microsoft-office-e4fd637b-865a-47b7-b72f-a44766a217e4

Notable CVEs

CVE-2024-20684 | Windows Hyper-V Denial of Service Vulnerability  (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20684

Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host – affects Windows 11 and Windows Server 2022 machines.

CVE-2024-21338, CVE-2024-21345 and CVE-2024-21371 | Windows Kernel Elevation of Privilege Vulnerability  (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21338

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21345

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21371

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.  To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVE-2024-21357 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability  (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21357

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.  Windows Pragmatic General Multicast (PGM) produces multicast traffic that runs on layer 4 and is routable. Therefore this vulnerability can be exploited over the network. An attacker could exploit this vulnerability by sending specially crafted malicious traffic directed at a vulnerable server.

CVE-2024-21351 | Windows SmartScreen Security Feature Bypass Vulnerability  (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21351

An authorized attacker must send the user a malicious file and convince the user to open it.  An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience.  The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both.

CVE-2024-21410 | Microsoft Exchange Server Elevation of Privilege Vulnerability (KB5035606)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410

An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.  An attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user.

CVE-2024-21412 | Internet Shortcut Files Security Feature Bypass Vulnerability  (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412

An attacker must send the user a malicious file and convince them to open it.  An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability (KB5002467,KB5002519,KB5002522,KB5002537,Click to Run)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413

Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.