Microsoft's scheduled Patch Tuesday security update for February includes fixes for two zero-day security vulnerabilities under active attack, plus 71 other flaws across a wide range of its products.

In all, five of the vulnerabilities for which Microsoft issued a February patch were rated as critical, 66 as important, and two as moderate.

The update includes patches for Microsoft Office, Windows, Microsoft Exchange Server, the company's Chromium-based Edge browser, Azure Active Directory, Microsoft Defender for Endpoint, and Skype for business. Tenable identified 30 of the 73 CVEs as remote code execution (RCE) vulnerabilities; 16 as enabling privilege escalation; 10 as tied to spoofing errors; nine as enabling distributed denial-of-service attacks; five as information disclosure flaws; and three as security bypass issues.

A threat actor dubbed as Water Hydra (aka Dark Casino) is currently leveraging one of the zero-day vulnerabilities — an Internet Shortcut Files security feature bypass vulnerability tracked as CVE-2024-21412 (CVSS 8.1) — in a malicious campaign targeting organizations in the financial sector.

Researchers at Trend Micro — among several who discovered and reported the flaw to Microsoft — described it as tied to a bypass of a previously patched SmartScreen vulnerability (CVE-2023-36025, CVSS 8.8) and affecting all supported Windows versions. Water Hydra actors are using CVE-2024-21412 to gain initial access to systems belonging to financial traders and drop the DarkMe remote access Trojan on them.

To exploit the vulnerability, an attacker would first need to deliver a malicious file to a targeted user and get them to open it, said Saeed Abbasi, manager of vulnerability researcher at Qualys, in emailed commentary. "The impact of this vulnerability is profound, compromising security and undermining trust in protective mechanisms like SmartScreen," Abbasi said.

SmartScreen Bypass Zero-Day

The other zero-day that Microsoft disclosed in this month's security update affects Defender SmartScreen. According to Microsoft, CVE-2024-21351 is a medium-severity bug that allows an attacker to bypass SmartScreen protections and inject code into it to potentially gain remote code execution capabilities. A successful exploit could lead to limited data exposure, systems availability issues, or both, Microsoft said. No details are available on who exactly might be exploiting the bug and for what purpose.

In prepared comments for Dark Reading, Mike Walters, president and co-founder of Action1, said the vulnerability is tied to the manner in which Microsoft's Mark of the Web (a feature for identifying untrusted content from the Internet) interacts with the SmartScreen feature. "For this vulnerability, an attacker must distribute a malicious file to a user and persuade them to open it, allowing them to circumvent the SmartScreen checks and potentially compromise the system's security," Walters said.