Microsoft Tackles 73 Flaws in February 2024 Patch Update

Microsoft continuously fortifies its digital defenses, sidelining 73 security flaws, including two zero-day vulnerabilities this month. This information affirms the tech giant’s commitment to cybersecurity during its February 2024 Patch Tuesday updates. A notable emphasis was placed on its software lineup, with 24 flaws manually riddled out of the Chromium-based Edge browser, following the January 2024 Patch Tuesday updates. This progress was further supplemented by other undisclosed vendors who initiated robust security updates to tackle vulnerabilities in areas like GDPR and privacy-focused browsers, data utilization, and ransomware protection.

On focusing on the zero-day vulnerabilities being exploited, these went under the code names CVE-2024-21351 and CVE-2024-21412. The former allows code injection into the SmartScreen, potentially triggering data exposure or causing system unavailability. The only hitch is, it requires the user to open a malicious file first, adding another layer of secured usage. The second flaw, CVE-2024-21412, gives a loophole for an unauthenticated aggressor to circumvent security checks by sending a specially crafted file to a targeted user. However, clicking a file link stands as the necessary prerequisite.

Perusing through the patches issued during February 2024, we find that the persistent targeting of the acclaimed SmartScreen is no stranger. Microsoft had previously wrestled with a bug under the code CVE-2023-36025 and now CVE-2024-21351 stands as the second bypass bug found in the SmartScreen. Moreover, Microsoft updates addressed critical flaws in Microsoft Exchange Server, remote code execution flaws in Microsoft WDAC OLE DB provider for SQL Server, and a design flaw in DNSSEC specification.

Remarkably, a 24-year-old design flaw under the code CVE-2023-50387 was another vulnerability that was tended to. Embedded in the DNSSEC specification, its exploitation can direct denial-of-service attacks on DNS resolvers, thereby causing massive system intermissions if manipulated.

By the 5th of March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) anticipates federal agencies to have applied these updates, showing the urgency of these patches. In fact, they’ve added these fixes to their Known Exploited Vulnerabilities catalog.

Keeping vigilant, Microsoft maintains its stronghold by releasing iterative versions of Microsoft Edge Stable Channel embedding the latest Security Updates each time. It’s an ongoing battle, but one that Microsoft seems determined to fight 24/7 for the protection of global cyberspace security. For a more comprehensive understanding of Microsoft’s zero-day patches and other integral security updates, one can explore Microsoft Defender SmartScreen for the former, and CVE-2023-50387 for the 24-year-old design flaw identified in Microsoft’s February 2024 Patch Tuesday security updates.