February was a busy month for Microsoft customers, as the company released 72 patches and 21 advisories to address various vulnerabilities in its products. The patches included fixes for 43 vulnerabilities in Windows alone, with 12 other product groups or tools also affected. Five of the addressed vulnerabilities were classified as Critical by Microsoft and impacted Windows, Office, Exchange, and Dynamics 365.
At the time of the patch release, two of the issues were already being exploited in the wild, although none had been publicly disclosed. Additionally, eight vulnerabilities in Windows, Office, and Exchange were deemed more likely to be exploited in the next 30 days. One of the critical-severity issues, with a CVSS base score of 9.8, was an elevation-of-privilege vulnerability.
In addition to the Microsoft patches, the release also included information on six Chromium/Edge-related vulnerabilities, one MITRE-issued vulnerability related to a DNS issue, and 13 Adobe advisories related to Acrobat Reader. While these advisories were not included in the CVE counts, detailed information about them is available in an appendix at the end of the article.
Among the notable updates in February was a group of 15 CVEs that shared the same severity (Important), impact (Remote Code Execution), and CVSS base score (8.8). Another notable patch addressed an elevation-of-privilege vulnerability in Microsoft’s Entra Jira Single-Sign-On Plugin, which had a critical-level 9.8 CVSS base score.
Another critical-severity vulnerability affected Microsoft Exchange Server, allowing attackers to relay a user’s leaked Net-NTLMv2 hash and authenticate as the user. This vulnerability was expected to be exploited within the next 30 days. Microsoft also released patches for an important-severity remote code execution vulnerability in Outlook and an information disclosure issue in Teams for Android.
Overall, February’s patch release focused heavily on Windows, with a significant number of fixes for Windows Defender Application Control. While the total number of patches for the year so far is lower compared to previous years, Microsoft customers should still prioritize the installation of these updates to ensure the security of their systems.
Sophos, a cybersecurity company, provided protections for six of the vulnerabilities addressed in the February patches. The information on these protections is available in a table provided in the article.
For customers who prefer to manually download Microsoft’s updates, they can visit the Windows Update Catalog website and download the appropriate Cumulative Update package for their specific system’s architecture and build number.
Appendices at the end of the article provide additional information on vulnerability impact and severity, as well as lists of all the patches sorted by severity, predicted exploitability, and product family.
In conclusion, Microsoft’s February patch release included a significant number of fixes for various vulnerabilities affecting its products. Customers are advised to prioritize the installation of these updates to protect their systems from potential exploitation.