Security News The February 2024 Security Update Review

[Gandalf_The_Grey]

Content source

https://www.zerodayinitiative.com/blog/2024/2/13/the-february-2024-security-update-review

It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:



If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for February 2024

For February, Adobe released six patches addressing 29 CVEs in Adobe Acrobat and Reader, Commerce, Substance 3D Painter, FrameMaker Publishing Server, Audition, and Substance 3D Designer. A total of four of these bugs were reported through the ZDI program. If you need to prioritize, I would suggest starting with the update for Acrobat and Reader. The patch fixes five Critical-rated arbitrary code execution bugs that are often used in phishing and ransomware campaigns. The fix for Commerce also has a couple of Critical-rated code execution bugs being addressed. Considering this is an aptly named commerce platform, rolling patches quickly here also makes sense.

The updates for Substance 3D Painter and Substance 3D Designer address nine and one bug respectively. The most severe of these would result in arbitrary code execution, but they also require user interaction – something like opening a specially crafted file or browsing to a malicious URL. The patch for the FrameMaker Publishing Server (not to be confused with FrameMaker itself) fixes a security feature bypass (SFB) that’s rated at a CVSS 9.8. Although not specifically stated, that reads like either a complete authentication bypass or hard-coded credentials. The final patch for Adobe Audition corrects a single heap-based buffer overflow that could lead to arbitrary code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2024

This month, Microsoft released 72 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 78. Two of these bugs were reported through the ZDI program, including one of the bugs under active attack.

Of the new patches released today, five are rated Critical, 65 are rated Important, and two are rated Moderate in severity. This is a relatively typical volume of fixes for a February release, and so far, the number of fixes from Adobe and Microsoft is lower than last year over the same time. It will be interesting to see if this trend continues throughout 2024.

Two of these CVEs are listed as under active attack at the time of release, although neither is listed as publicly known.

Looking Ahead

The next Patch Tuesday of 2024 will be on March 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Zero Day Initiative — The February 2024 Security Update Review

A review of Adobe and Microsoft security patches for the month of February 2024.

www.zerodayinitiative.com

 

[Bot]

The February 2024 security updates from Adobe and Microsoft have been released, addressing several vulnerabilities in their respective products.

Adobe has released six patches addressing a total of 29 CVEs (Common Vulnerabilities and Exposures). The patches cover vulnerabilities in Adobe Acrobat and Reader, Commerce, Substance 3D Painter, FrameMaker Publishing Server, Audition, and Substance 3D Designer. Four of these vulnerabilities were reported through the Zero Day Initiative (ZDI) program. The most critical patch is for Acrobat and Reader, which fixes five Critical-rated arbitrary code execution bugs that are often exploited in phishing and ransomware campaigns. The Commerce patch also addresses Critical-rated code execution bugs. The Substance 3D Painter and Substance 3D Designer patches fix nine and one bug respectively, with the most severe allowing arbitrary code execution but requiring user interaction. The FrameMaker Publishing Server patch addresses a security feature bypass (SFB) vulnerability, which could potentially lead to an authentication bypass or hard-coded credentials. Lastly, the Adobe Audition patch corrects a heap-based buffer overflow that could result in arbitrary code execution. None of the vulnerabilities fixed by Adobe this month are publicly known or under active attack at the time of release.

Microsoft's February patches include 72 new updates covering vulnerabilities in Microsoft Windows and Windows Components, Office and Office Components, Azure, .NET Framework and ASP.NET, SQL Server, Windows Hyper-V, and Microsoft Dynamics. Additionally, multiple Chromium bugs are being addressed, bringing the total number of CVEs to 78. Two of these vulnerabilities were reported through the ZDI program, and one of them is under active attack. Out of the new patches, five are rated Critical, 65 are rated Important, and two are rated Moderate in severity. This is a typical volume of fixes for a February release, and the number of fixes from Adobe and Microsoft is lower than last year at the same time. It remains to be seen if this trend will continue throughout 2024. Two of the CVEs addressed in the Microsoft patches are listed as under active attack, but neither is publicly known.

Overall, it is important for users to apply these security updates promptly to protect their systems from potential exploits.

 

[Gandalf_The_Grey]

Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 74 flaws

Today is Microsoft's February 2024 Patch Tuesday, which includes security updates for 74 flaws and two actively exploited zero-days.

This Patch Tuesday fixes five critical vulnerabilities, including denial of service, Remote code execution, information disclosure, and elevation of privileges vulnerabilities.

The number of bugs in each vulnerability category is listed below:

• 16 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 30 Remote Code Execution Vulnerabilities
• 5 Information Disclosure Vulnerabilities
• 9 Denial of Service Vulnerabilities
• 10 Spoofing Vulnerabilities

The total count of 74 flaws does not include 6 Microsoft Edge and 1 Mariner flaw fixed on February 8th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034765 cumulative update.

Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 74 flaws

Today is Microsoft's February 2024 Patch Tuesday, which includes security updates for 74 flaws and two actively exploited zero-days.

www.bleepingcomputer.com

 

[Gandalf_The_Grey]

The Windows Security Updates for February 2024 are here

This is the Microsoft Windows security updates overview for February 2024. Microsoft patched 73 different security vulnerabilities in its products and six non-Microsoft vulnerabilities on today's Patch Day.

Our overview is a helpful resource for administrators and home users alike. It lists all relevant security updates as well as known issues. You get information on each of the updates and links to official Microsoft support pages.

You also find an Excel spreadsheet with the list of released updates and download instructions below among other information.

The Windows Security Updates for February 2024 are here - gHacks Tech News

This is an overview of the Microsoft Windows February 2024 security updates releases for system administrators and home users.

www.ghacks.net