It’s the shortest month of the year, but February updates have been hitting the ground at lightning speed, with Microsoft, Ivanti, and Fortinet all patching zero-day flaws in their products. Zoom and Cisco also just squashed serious bugs, so it’s a good idea to check your software versions and update as soon as possible.
Here’s what you need to know about the patches released in February.
Microsoft
Microsoft’s February Patch Tuesday saw the software giant issue 73 patches, including two fixes for flaws already being used in attacks. The first is CVE-2024-21412, an Internet Shortcut Files vulnerability with a CVSS score of 8.1. To exploit the vulnerability, an unauthenticated attacker would send the targeted user a file designed to bypass security checks. However, an adversary would need to convince someone to click on the file link, Microsoft said.
The second is CVE-2024-21351, a Windows SmartScreen security-feature-bypass flaw affecting Windows server and desktop systems with a CVSS score of 7.6. Meanwhile, CVE-2024-21410 is a privilege-elevation flaw in Microsoft Exchange Server with a CVSS score of 9.8.
CVE-2024-21413 is a remote-code-execution issue in Microsoft Outlook with a critical CVSS score of 9.8. An attacker that successfully exploited this vulnerability could gain privileges including read, write, and delete functionality, Microsoft said.
Google Android
Google has released its February Android Security Bulletin, fixing 46 vulnerabilities in its mobile operating system. The most important flaw is CVE-2024-0031, an issue in the System component impacting Android Open Source Project versions 11, 12, 12L, 13, and 14.
The critical security vulnerability could lead to remote code execution with no additional execution privileges needed, Google said.
Google also patched six privilege-elevation bugs in the Framework, all of which have a high severity rating. A further three high-severity privilege-elevation issues were addressed in the System, tracked as CVE-2024-0014, CVE-2024-0033, and CVE-2024-0035.
Google has also released patches for its own Pixel devices, including a fix for CVE-2024-22012, an elevation of privilege issue in the Bootloader subcomponent rated as having a high severity.
The February security update is available for Google’s Pixel range and some Samsung devices in the Galaxy range.
Google Chrome
Google has issued 12 fixes for its widely used Chrome browser, including patches for two bugs rated as having a high impact. The first is CVE-2024-1669, an out-of-bounds memory-access issue in Blink.
Meanwhile, CVE-2024-1670 is a use-after-free flaw in Mojo. Of the bugs rated as having a medium severity, CVE-2024-1671 is an inappropriate implementation vulnerability in Site Isolation and CVE-2024-1673 is a use-after-free issue in Accessibility.
None of the bugs listed by Google have been used in attacks, but it still makes sense to check your Chrome version and update when you can.
Mozilla Firefox
Mozilla has released patches for 12 vulnerabilities in its privacy-focused browser Firefox, including four rated as having a high severity.
The first, CVE-2024-1546, is an out-of-bounds memory read bug in networking channels, while CVE-2024-1547 could see an alert dialog spoofed on another site.
Most PopularPS5 vs PS5 Slim: What’s the Difference, and Which One Should You Get?By Eric Ravenscraft Gear13 Great Couches You Can Order OnlineBy Louryn Strampe GearThe Best Portable Power StationsBy Simon Hill GearThe Best Wireless Earbuds for Working OutBy Adrienne So
GearCVE-2024-1553 and CVE-2024-1557 are memory-safety bugs rated as having a high severity. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla researchers said.
Zoom
Video conferencing giant Zoom has issued fixes for seven flaws in its software, one of which has a CVSS score of 9.6. CVE-2024-24691 is an improper-input-validation bug in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. If exploited, the issue may allow an unauthenticated attacker to escalate their privileges via network access, Zoom said in a security bulletin.
Another notable flaw is CVE-2024-24697, an untrusted-search-path issue in some Zoom 32 bit Windows clients that could allow an authenticated user with local access to escalate their privileges.
Ivanti
In January, Ivanti warned that attackers were targeting two unpatched vulnerabilities in its Connect Secure and Policy Secure products, tracked as CVE-2023-46805 and CVE-2024-21887. With a CVSS score of 8.2 the first authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
With a CVSS score of 9.1, the second command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet.
At the end of the month, the firm alerted companies to another two serious flaws, one of which was being exploited in attacks. The exploited issue is a server-side request forgery bug in the SAML component tracked as CVE-2024-21893. Meanwhile, CVE-2024-21888 is a privilege-escalation vulnerability.
Patches were available by February 1, but the issues were deemed so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) advised disconnecting all Ivanti products by February 2.
On February 8, Ivanti released a patch for yet another issue tracked as CVE-2024-22024, which prompted another CISA warning.
Fortinet
Fortinet has issued a patch for a critical issue with a CVSS score of 9.6, which it says is already being used in attacks. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. The out-of-bounds write vulnerability can be used for arbitrary code execution using specially crafted HTTP requests, Fortinet said.
It came just days after the firm released a patch for two issues in its FortiSIEM products, CVE-2024-23108 and CVE-2024-23109, rated as critical with a CVSS score of 9.7. The flaw in FortiSIEM Supervisor could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests, Fortinet said in an advisory.
Cisco
Cisco has listed multiple vulnerabilities in its Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks.
Tracked as CVE-2024-20252 and CVE-2024-20254, two vulnerabilities in the API of Cisco Expressway Series devices have been given a CVSS score of 9.6. “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link,” Cisco said. “A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.”
SAP
Enterprise software firm SAP has released 13 security updates as part of its SAP Security Patch Day. CVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS score of 9.1.
CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java listed as having a high impact, with a CVSS score of 8.8. “Incoming URL parameters are insufficiently validated and improperly encoded before including them into redirect URLs,” security firm Onapsis said. “This can result in a cross-site scripting vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.”