Forget Patch Tuesday: it's Take Action Thursday as Microsoft confirms Windows zero-day double-header

Microsoft has confirmed two zero-day vulnerabilities impacting Windows users. The zero-days were both fixed in the monthly round-up of security updates, 73 in all, known as Patch Tuesday. For good reason, yesterday is also known as Exploit Wednesday because threat actors look to take the opportunity between disclosure of a vulnerability and application of the fix to attack as many targets as possible.

Today should rightly be called Take Action Thursday, especially as far as the zero-day fixes are concerned. Here’s what security experts told TechFinitive about the actively exploited zero-day vulnerabilities.

Related reading: what are zero-day exploits?

CVE-2024-21351 Windows zero-day vulnerability

The first of the two zero-days is CVE-2024-21351, a security feature bypass for the Windows SmartScreen function that can warn users of a potentially malicious file or block the execution of the same.

“As is common for Microsoft patch notes, very little details are available to network defenders,” says Kev Breen, Senior Director Threat Research at Immersive Labs. However, Breen says that it’s important to note that “this vulnerability alone is not enough for an attacker to compromise a user’s workstation and would be used in conjunction with something like a spear phishing attack that delivers a malicious file.”

Meanwhile, Adam Barnett, Lead Software Engineer at Rapid7, picked up on the language used in describing the vulnerability, telling us that “other critical SmartScreen bypass vulnerabilities from the past couple of years have not included language describing code injection into SmartScreen itself, focusing instead on the security feature bypass only.”

This is important as it suggests that exploitation could allow “code injection into SmartScreen to achieve remote code execution.”

CVE-2024-21412 Windows zero-day vulnerability

The second Windows zero-day vulnerability is also of the feature bypass variety, concerning internet shortcut files security.

Kevin Simzer, COO at Trend Micro, the organisation which disclosed this one, says that CVE-2024-21412 “is being actively exploited by a financially motivated APT group to compromise foreign exchange traders participating in the high-stakes currency trading market.”

More specifically, it’s part of a sophisticated zero-day attack chain “designed to infect victims with the DarkMe remote access trojan (RAT) for potential data theft and ransomware,” Simzer says.

Rapid7’s Barnett points out that “if further evidence were ever needed that clicking Internet Shortcut files from unknown sources is typically a bad idea, CVE-2024-21412 provides it.”

Finally, Saeed Abbasi, Product Manager, Vulnerability Research, Qualys Threat Research Unit, says that the vulnerability is exploited “via a specially crafted file delivered through phishing tactics, which cleverly manipulates internet shortcuts and WebDAV components to bypass the displayed security checks.”

Although exploitation requires user interaction, the impact, Abbasi concludes, “is profound, compromising security and undermining trust in protective mechanisms like SmartScreen”.