Microsoft’s regular Patch Tuesday bug-fixes have landed, with a total of 80 vulnerabilities, two of which the company said are under active exploitation, plus several critical-rated bugs.
The exploited vulnerabilities are CVE-2024-21412 (CVSS score 8.1) and CVE-2024-21351 (CVSS score 7.6).
CVE-2024-21412 bypasses Microsoft’s Internet shortcut files security feature, if the attacker can trick a user into opening a malicious file (for example, via a phishing attack); while CVE-2024-21351 bypasses Windows SmartScreen security, again via the victim opening a malicious file.
The critical vulnerabilities include CVE-2024-21380, CVE-2024-21410 and CVE-2024-21413.
CVE-2024-21380 is an information disclosure vulnerability in Dynamics Business Central (formerly Dynamics NAV).
If the victim clicks on a malicious link, an authenticated attacker can trigger a race condition that “could lead to the attacker gaining the ability to interact with other tenant’s applications and content.”
CVE-2024-21410 is a critical escalation of privilege vulnerability in Microsoft Exchange Server, arising because of an NTLM credential leakage allowing an attacker to authenticate with leaked user credentials.
CVE-2024-21413 is a remote code execution (RCE) vulnerability in Outlook, going back as far as Office 2016.
Attackable via the preview pane, Microsoft said exploitation “would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.”