Security News > 2024 > February > Crims found and exploited these two Microsoft bugs before Redmond fixed 'em

Patch Tuesday Microsoft fixed 73 security holes in this February's Patch Tuesday, and you better get moving because two of the vulnerabilities are under active attack.

First up: CVE-2024-21412, an internet shortcut file security feature bypass vulnerability that earned an 8.1-out-of-10 CVSS severity rating though Redmond only considers it important.

So patch this one ASAP. The second Microsoft vulnerability that's under active exploit, CVE-2024-21351, is a Windows SmartScreen security feature bypass vulnerability that earned a 7.6 CVSS rating.

Twenty of these vulnerabilities - including three high-rated bugs - are in Intel Thunderbolt Declarative Componentized Hardware drivers for Windows, and exploiting them could lead to escalation of privileges by an attacker, denial of service, and/or information disclosure.

We should also mention: AMD has patched a flaw in the RSA authentication mechanism of its UltraScale and UltraScale+ FPGAs, which can be exploited to inject unauthorized bitstreams into arrays; two SEV firmware vulnerabilities that potentially affect the security of guest VMs on shared hosts; four low-level processor holes, the worst of which could result in privilege escalation; and 20 flaws in its embedded CPU products.

The most serious of the bunch, CVE-2024-0031, is "a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed," the Chocolate Factory warned.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/14/patch_tuesday_feb_2024/