The next security update from Microsoft is already ready for download.
Microsoft's latest Patch Tuesday update, released in February 2024, addresses 73 vulnerabilities in the company's software, including two zero-day vulnerabilities that are actively exploited by attackers, and one truly ancient vulnerability that has existed in Windows for 24 years.
Among the patched vulnerabilities, 5 received the status of "critical", 65 were rated as "important", and 3 more — as "moderate". In addition, 24 flaws in Microsoft's proprietary Chromium — based browser, Edge, were fixed.
Special attention is drawn to two vulnerabilities that were actively exploited at the time of the update release:
Microsoft highlighted the severity of the CVE-2024-21351 vulnerability, pointing out the possibility of code injection by an attacker with potential code execution, which could lead to data leaks or system failures. And CVE-2024-21412 allows an unauthenticated attacker to bypass security measures by sending a specially created file to a potential victim.
Both vulnerabilities were added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), with a recommendation that U.S. federal agencies apply the necessary updates by March 5, 2024.
In addition, five other critical vulnerabilities were fixed:
The update also includes the elimination of the fundamental error CVE-2023-50387 (CVSS score 7.5) in the DNSSEC specification, which existed there for 24 years. It could be used to exhaust CPU resources and block DNS resolvers, causing denial of service.
In addition to Microsoft, in recent weeks, many other manufacturers have also released security updates aimed at eliminating various vulnerabilities. Among them-Adobe, AMD, ASUS, Cisco, Intel, Ivanti, Lenovo and many others, which highlights the large-scale work to ensure cybersecurity in the digital space.
Microsoft's latest Patch Tuesday update, released in February 2024, addresses 73 vulnerabilities in the company's software, including two zero-day vulnerabilities that are actively exploited by attackers, and one truly ancient vulnerability that has existed in Windows for 24 years.
Among the patched vulnerabilities, 5 received the status of "critical", 65 were rated as "important", and 3 more — as "moderate". In addition, 24 flaws in Microsoft's proprietary Chromium — based browser, Edge, were fixed.
Special attention is drawn to two vulnerabilities that were actively exploited at the time of the update release:
- CVE-2024-21351 (CVSS score 7.6) related to Windows SmartScreen protection bypass;
- CVE-2024-21412 (CVSS score 8.1), which allows you to bypass protection in Internet shortcut files.
Microsoft highlighted the severity of the CVE-2024-21351 vulnerability, pointing out the possibility of code injection by an attacker with potential code execution, which could lead to data leaks or system failures. And CVE-2024-21412 allows an unauthenticated attacker to bypass security measures by sending a specially created file to a potential victim.
Both vulnerabilities were added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), with a recommendation that U.S. federal agencies apply the necessary updates by March 5, 2024.
In addition, five other critical vulnerabilities were fixed:
- CVE-2024-20684 (CVSS score 6.5) is a denial-of-service vulnerability in Windows Hyper-V;
- CVE-2024-21357 (CVSS score 7.5) - Remote code execution vulnerability in Windows Pragmatic General Multicast (PGM);
- CVE-2024-21380 (CVSS score 8.0) - vulnerability in Microsoft Dynamics Business Central / NAV leading to information disclosure;
- CVE-2024-21410 (CVSS score 9.8) - Privilege escalation vulnerability in Microsoft Exchange Server;
- CVE-2024-21413 (CVSS score 9.8) is a remote code execution vulnerability in Microsoft Outlook.
The update also includes the elimination of the fundamental error CVE-2023-50387 (CVSS score 7.5) in the DNSSEC specification, which existed there for 24 years. It could be used to exhaust CPU resources and block DNS resolvers, causing denial of service.
In addition to Microsoft, in recent weeks, many other manufacturers have also released security updates aimed at eliminating various vulnerabilities. Among them-Adobe, AMD, ASUS, Cisco, Intel, Ivanti, Lenovo and many others, which highlights the large-scale work to ensure cybersecurity in the digital space.
