Microsoft Security Update Guide: Critical Patch Tuesday Addresses 119 Vulnerabilities Including Zero-Day Exploits

Microsoft has released its March 2024 security update, addressing 119 vulnerabilities across Windows, Microsoft Office, Azure, and other enterprise products. This release includes patches for two zero-day vulnerabilities that attackers have been actively exploiting in the wild, along with critical remote code execution (RCE) flaws that could allow complete system compromise.

Zero-Day Exploits Under Active Attack

CVE-2024-21412 (CVSS 8.8): A Windows Internet Shortcut Files vulnerability enables attackers to bypass security prompts and execute arbitrary code when users open specially crafted internet shortcut files. Microsoft confirmed this vulnerability has been exploited in limited, targeted attacks. The flaw affects Windows 10, Windows 11, and Windows Server 2012-2022.

CVE-2024-21433 (CVSS 7.8): A Microsoft Office vulnerability allows attackers to gain elevated privileges through specially crafted documents. While less severe than the Windows zero-day, this flaw has also been observed in active exploitation campaigns targeting enterprise environments.

Critical Remote Code Execution Vulnerabilities

The update patches multiple critical RCE vulnerabilities that could enable complete system takeover:

• CVE-2024-21399 (CVSS 9.8): A Windows Hyper-V RCE vulnerability that allows attackers to execute code on the host system from a guest virtual machine. This affects all supported Windows Server versions and Windows 10/11 with Hyper-V enabled.

• CVE-2024-21444 (CVSS 9.8): A .NET Framework RCE vulnerability that could be exploited through malicious web applications or network services. Organizations running .NET applications should prioritize this patch.

• CVE-2024-21450 (CVSS 8.8): A Windows Kerberos RCE vulnerability that could allow attackers to compromise domain controllers through crafted Kerberos requests.

Affected Products and Versions

The security update impacts:

Windows Desktop: Windows 10 versions 1507 through 22H2, Windows 11 versions 21H2 and 22H2

Windows Server: 2012, 2012 R2, 2016, 2019, 2022 (all editions)

Microsoft Office: Office 2016, Office 2019, Office LTSC 2021, Microsoft 365 Apps

Developer Tools: .NET Framework 4.8, .NET 6.0, .NET 7.0, .NET 8.0

Cloud Services: Azure Stack HCI, Azure DevOps Server

Mitigation and Deployment Guidance

Immediate Actions Required

1. Prioritize Zero-Day Patches: Deploy KB5035855 (Windows) and KB5035845 (Office) immediately for systems exposed to internet or email threats.

2. Test in Staging: Microsoft recommends testing all patches in non-production environments before full deployment, particularly for Hyper-V and Kerberos updates which may affect authentication systems.

3. Verify Update Compliance: Use Microsoft's Update Compliance tool or WSUS to ensure all systems receive the updates.

Workarounds for Delayed Deployment

For organizations requiring additional testing time:

• CVE-2024-21412: Block internet shortcut files (.url) from untrusted sources via Group Policy: User Configuration > Administrative Templates > Windows Components > Attachment Manager

• CVE-2024-21433: Disable Office macros from untrusted locations through Trust Center settings

• CVE-2024-21399: Disable Hyper-V on systems not requiring virtualization, though this impacts functionality

Timeline and Release Details

• Release Date: March 12, 2024
• Update Type: Monthly Security Update (Patch Tuesday)
• Restart Required: Yes, for most Windows and Office updates
• Known Issues: Microsoft has documented three known issues in the release notes, including potential conflicts with certain third-party security software

Additional Security Considerations

Enhanced Protection Measures

Microsoft recommends enabling the following additional protections:

• Attack Surface Reduction Rules: Configure ASR rules to block Office applications from creating child processes
• Windows Defender Application Control: Implement WDAC policies to restrict untrusted applications
• Credential Guard: Enable on Windows 11 Enterprise and Windows Server 2022 for enhanced Kerberos protection

Monitoring and Detection

Security teams should monitor for exploitation attempts using:

• Microsoft Defender for Endpoint: Updated detection rules for the zero-day exploits
• Azure Sentinel: New hunting queries available in the March 2024 update pack
• Event Log Monitoring: Watch for Event ID 4625 (failed logon) spikes and suspicious Kerberos ticket requests

Impact Assessment

Organizations should conduct immediate risk assessment:

1. Inventory Systems: Identify all systems running affected Windows versions and Office installations
2. Prioritize Critical Assets: Focus on domain controllers, Hyper-V hosts, and internet-facing systems first
3. Review Exposure: Assess which systems could be targeted through the attack vectors (email, web downloads, network services)

Long-term Security Posture

This release highlights the ongoing importance of:

• Rapid Patch Deployment: The zero-day exploits demonstrate how quickly attackers weaponize vulnerabilities
• Defense-in-Depth: No single patch provides complete protection; layered security remains essential
• Continuous Monitoring: Even with patches deployed, monitoring for exploitation attempts remains critical

Resources and References

• Microsoft Security Update Guide - March 2024
• CVE-2024-21412 Detail
• CVE-2024-21433 Detail
• Microsoft Defender for Endpoint Detection Updates
• CISA Emergency Directive ED 24-02 (if applicable to your organization)

Conclusion

This Patch Tuesday release requires immediate attention due to the active exploitation of two zero-day vulnerabilities. Organizations should prioritize deployment of the critical updates, particularly for internet-facing systems and those handling untrusted documents. The severity of the Hyper-V and .NET vulnerabilities also warrants rapid patching across virtualized environments and application servers.

Microsoft has not indicated any workarounds that fully mitigate the zero-day vulnerabilities, making patch deployment the only complete solution. Security teams should verify successful deployment across all affected systems and monitor for any post-patch exploitation attempts.

For organizations with extended deployment cycles, consider implementing the suggested workarounds as temporary measures while planning patch deployment. However, these workarounds may impact functionality and should be tested thoroughly before implementation.

The March 2024 release continues Microsoft's pattern of addressing increasing complexity in vulnerability management, with multiple attack vectors and affected product categories requiring coordinated response across IT, security, and application teams.