February 2024 Patch Tuesday forecast: Zero days are back and a new server too


January 2024 Patch Tuesday is behind us. A relatively light release from Microsoft with 39 CVEs addressed in Windows 10, 35 in Windows 11, and surprisingly no zero-day vulnerabilities from Microsoft to start the new year.

January’s release was a bit unusual in that we didn’t have any updates for Office 2013 and Office 2016, only the online, click-to-run versions had a single-CVE update. That lull didn’t last long as the zero-day treadmill has started up again as I’ll discuss shortly. But first, there’s a preview of a new server available.

Microsoft Server 2025

Microsoft announced Server 2025 is now available on the Windows Server Insider Channel. While they haven’t given an official public availability date, it is expected to be generally available this fall if it follows the Server 2022 pattern. Microsoft introduced the update process called ‘flighting’ for these preview builds, allowing automatic or manual in-place updates approximately every two weeks without needing a new install every time.

The new features planned for Server 2025 were announced at Microsoft Ignite last fall. Hot features include an option to subscribe as needed through Azure Arc (which is also getting an update), some Active Directory storage and security updates, communications security updates with SMB over Quick UDP (QUIC), and hotpatching. Hotpatching will provide real-time updates to the running system in memory without the need for an immediate reboot to take effect. It’s still early in the release process, but if you are curious to test out the latest server technology, it is now available.

Apple, Google, Ivanti, and Microsoft

The first zero-day announcements and some software releases from Apple, Google, Ivanti, and Microsoft have hit the streets. Apple released updates for all the operating systems on January 22 and Safari 17.3 for Monterey and Ventura macOS. These updates included a fix for CVE-2024-23222 which allows maliciously crafted web content to conduct arbitrary code execution. Apple reported that this is known to be exploited in the wild but did not give any details.

Google released the Stable Channel updates 120.0.6099.234 for Mac, 120.0.6099.224 for Linux, and 120.0.6099.224/225 to Windows back on January 16. These releases addressed CVE-2024-0519, which provides out-of-bounds memory access in the V8 engine. Like Apple, they reported this is known to be exploited in the wild but without any details.

A zero-day vulnerability called EventLogCrasher was reported for all versions of Windows, but Microsoft believes it is the same issue reported back in 2022. A successful attack can crash the event logging service, which could hide additional activity on the system. Microsoft said an update would address this in the future. As always, zero-day updates should be applied in a timely manner because they are known to be exploited, and it is only a matter of time before the attackers reach your systems.

Microsoft released their monthly non-security preview patch for Windows 10 22H2, Windows 11 22H2, and Windows 11 23H2 on January 23. But note per Microsoft “After February 2024, there are no more optional, non-security preview releases for Windows 11, version 22H2. Only cumulative monthly security updates (known as the “B” or Update Tuesday release) will continue for this version. Windows 11, version 23H2 and Windows 10, version 22H2 will continue to receive security and optional releases.”

Ivanti has patches for five CVEs affecting their Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways. Three of these vulnerabilities have been exploited in the wild and Ivanti is encouraging customers to patch immediately.

February 2024 Patch Tuesday forecast

  • Microsoft should be back up to speed with a full set of new releases this month. Expect all the OS, Office, SharePoint and Exchange server updates. There was a .NET framework update last month but we’ll have to wait and see what comes next week. For those of you still using Server 2012 and 2012 R2, updates will be available with ESU licensing.
  • The last Adobe Acrobat and Reader security update came back in November 2023 so don’t be surprised if you see on this month.
  • Apple released a wide range of OS updates on January 22, so it’s unlikely another set of updates will follow so closely around Patch Tuesday. The January updates should already be in place on your machines.
  • Google released a Chrome Beta for Desktop 122.0.6261.18 for Windows, Mac, and Linux back on January 31. Be on the lookout for the formal update to come out later this week or early for Patch Tuesday week. These updates are cumulative so it will contain the fix for CVE-2024-0519 mentioned earlier.
  • Mozilla released Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 on January 23rd. The Firefox update included 5 CVEs rated High and 10 rated Moderate. They may not release another set of updates so if you didn’t include these in your last patch cycle, make sure you do next week.

We should see an increase in the number of patches released on Patch Tuesday next week. Be on the lookout for zero-day updates and give them the priority they deserve. And after you’re done working through the second Patch Tuesday of the year, don’t forget it’s Valentine’s Day – Wednesday!



Source link