And, as you know, it’s the second Tuesday of the month, which means that Windows users are looking towards the tech giant in hopes that some of the flaws they’ve been struggling with will finally get fixed. We have already taken the liberty of providing the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk CVEs again. For February, Microsoft released 75 new patches, which is still more than some people were expecting for the second month of 2023. These software updates address CVEs in:
Windows and Windows components Office and Office Components Exchange Server .NET Core and Visual Studio Code 3D Builder and Print 3D Microsoft Azure and Dynamics 365 Defender for IoT and the Malware Protection Engine Microsoft Edge (Chromium-based)
You probably want to know more on the matter, so let’s dive right into it and see what all the fuss is about this month.
Microsoft released 75 new important security patches
January 2023 was a pretty packed month in terms of security patches, so developers decided to take a breather and release fewer updates. You might like to know that, out of the 75 new CVEs released, only nine are rated Critical and 66 are rated Important in severity by security experts. Furthermore, keep in mind that this is one of the largest volumes we’ve seen from Microsoft for a February release in quite some time. We have to say that it is a bit unusual to see half of the Patch Tuesday release address remote code execution (RCE) bugs. Remember that none of the new CVEs released this month are listed as publicly known, but there are two bugs listed as being exploited in the wild at the time of release. That being said, let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack. Note that there are three CVSS 9.8 bugs in Microsoft’s Protected Extensible Authentication Protocol (PEAP), but it doesn’t seem that this protocol is used much anymore. SPONSORED Frankly, we find CVSS 9.8 bug in the iSCSI Discovery Service a lot more alarming, as data centers with storage area networks (SANs) should definitely check with their vendors to see if their SAN is impacted by the RCE vulnerability. Please take into consideration the fact that the bug in SQL would require someone to connect to a malicious SQL server via ODBC. There are no Print Spooler bugs getting fixed this month, but there are two bugs in the PostScript Printer Driver that could allow an authenticated attacker to take over a system sharing a printer. Actually, there are quite a few fixes for SQL Server, and exploiting these would require an affected system to connect to a malicious SQL Server, typically through ODBC. Experts say that, while that seems unlikely, they are worried about the various servicing scenarios between all the available versions of SQL Server. We also have to mention the bug in Azure Data Box Gateway, which requires high privileges to exploit, but that’s not the case for Azure DevOps Server vulnerability. To get access, an attacker only needs to have only Run access to the pipeline, but not every pipeline is vulnerable. Unfortunately, the tech giant doesn’t provide information on how to distinguish the affected and non-affected pipelines. The Dynamics bug does require authentication, an attacker might be able to call the target’s local files in the Resources directory and execute Windows commands that are outside of the Dynamics application. There are also a couple of RCE bugs, but they do allow us to remind you the Fax Service is still a thing, so the final RCE bug is the lone Moderate-rated bug this month for Edge (Chromium-based). Feel free to check each individual CVE and find out more about what it means, how it manifests, and what scenarios can malicious third parties use to exploit them. Have you found any other issues after installing this month’s security updates? Share your experience with us in the comments section below.
Name *
Email *
Commenting as . Not you?
Save information for future comments
Comment
Δ
