Follow Wired

Here are the Google and Microsoft security updates you need right now

Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.

 Illustration: WIRED Staff

It’s the shortest month of the year, but February updates have been hitting the ground at lightning speed, with Microsoft, Ivanti, and Fortinet all patching zero-day flaws in their products. Zoom and Cisco also just squashed serious bugs, so it’s a good idea to check your software versions and update as soon as possible.

Here’s what you need to know about the patches released in February.

Microsoft

Microsoft’s February Patch Tuesday saw the software giant issue 73 patches, including two fixes for flaws already being used in attacks. The first is CVE-2024-21412, an Internet Shortcut Files vulnerability with a CVSS score of 8.1. To exploit the vulnerability, an unauthenticated attacker would send the targeted user a file designed to bypass security checks. However, an adversary would need to convince someone to click on the file link, Microsoft said.

The second is CVE-2024-21351, a Windows SmartScreen security-feature-bypass flaw affecting Windows server and desktop systems with a CVSS score of 7.6. Meanwhile, CVE-2024-21410 is a privilege-elevation flaw in Microsoft Exchange Server with a CVSS score of 9.8.

CVE-2024-21413 is a remote-code-execution issue in Microsoft Outlook with a critical CVSS score of 9.8. An attacker that successfully exploited this vulnerability could gain privileges including read, write, and delete functionality, Microsoft said.

Google Android

Google has released its February Android Security Bulletin, fixing 46 vulnerabilities in its mobile operating system. The most important flaw is CVE-2024-0031, an issue in the System component impacting Android Open Source Project versions 11, 12, 12L, 13, and 14.

The critical security vulnerability could lead to remote code execution with no additional execution privileges needed, Google said.

Google has also released patches for its own Pixel devices, including a fix for CVE-2024-22012, an elevation of privilege issue in the Bootloader subcomponent rated as having a high severity.

The February security update is available for Google’s Pixel range and some Samsung devices in the Galaxy range.

Google Chrome

Google has issued 12 fixes for its widely used Chrome browser, including patches for two bugs rated as having a high impact. The first is CVE-2024-1669, an out-of-bounds memory-access issue in Blink.

Meanwhile, CVE-2024-1670 is a use-after-free flaw in Mojo. Of the bugs rated as having a medium severity, CVE-2024-1671 is an inappropriate implementation vulnerability in Site Isolation and CVE-2024-1673 is a use-after-free issue in Accessibility.

None of the bugs listed by Google have been used in attacks, but it still makes sense to check your Chrome version and update when you can.

Mozilla Firefox

Mozilla has released patches for 12 vulnerabilities in its privacy-focused browser Firefox, including four rated as having a high severity.

The first, CVE-2024-1546, is an out-of-bounds memory read bug in networking channels, while CVE-2024-1547 could see an alert dialog spoofed on another site.

CVE-2024-1553 and CVE-2024-1557 are memory-safety bugs rated as having a high severity. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla researchers said.

Zoom

Video conferencing giant Zoom has issued fixes for seven flaws in its software, one of which has a CVSS score of 9.6. CVE-2024-24691 is an improper-input-validation bug in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. If exploited, the issue may allow an unauthenticated attacker to escalate their privileges via network access, Zoom said in a security bulletin.

Another notable flaw is CVE-2024-24697, an untrusted-search-path issue in some Zoom 32 bit Windows clients that could allow an authenticated user with local access to escalate their privileges.

Ivanti

In January, Ivanti warned that attackers were targeting two unpatched vulnerabilities in its Connect Secure and Policy Secure products, tracked as CVE-2023-46805 and CVE-2024-21887. With a CVSS score of 8.2 the first authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

With a CVSS score of 9.1, the second command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet.

At the end of the month, the firm alerted companies to another two serious flaws, one of which was being exploited in attacks. The exploited issue is a server-side request forgery bug in the SAML component tracked as CVE-2024-21893. Meanwhile, CVE-2024-21888 is a privilege-escalation vulnerability.

Patches were available by February 1, but the issues were deemed so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) advised disconnecting all Ivanti products by February 2.

On February 8, Ivanti released a patch for yet another issue tracked as CVE-2024-22024, which prompted another CISA warning.

Fortinet

Fortinet has issued a patch for a critical issue with a CVSS score of 9.6, which it says is already being used in attacks. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. The out-of-bounds write vulnerability can be used for arbitrary code execution using specially crafted HTTP requests, Fortinet said.

It came just days after the firm released a patch for two issues in its FortiSIEM products, CVE-2024-23108 and CVE-2024-23109, rated as critical with a CVSS score of 9.7. The flaw in FortiSIEM Supervisor could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests, Fortinet said in an advisory.

Cisco

Cisco has listed multiple vulnerabilities in its Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks.

Tracked as CVE-2024-20252 and CVE-2024-20254, two vulnerabilities in the API of Cisco Expressway Series devices have been given a CVSS score of 9.6. “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link,” Cisco said. “A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.”

SAP

Enterprise software firm SAP has released 13 security updates as part of its SAP Security Patch DayCVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS score of 9.1.

CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java listed as having a high impact, with a CVSS score of 8.8. “Incoming URL parameters are insufficiently validated and improperly encoded before including them into redirect URLs,” security firm Onapsis said. “This can result in a cross-site scripting vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.”

Read more on wired.com

More great stories from WIRED

🪩 The tech behind Taylor Swift’s concert wristbands

🤳 Are you looking for the best dumb phones in 2023?

🦄 The 2023 top startups in MENA, who’s the next unicorn?

🧀 Italian cheesemakers are putting microchips in their Parmesan

🖤 The pros and cons of tattoos

🥦 Your genes can make it easier (or harder) to be a vegetarian

✨ And be sure to follow WIRED Middle East on Instagram, Twitter, Facebook, and LinkedIn

 
 

 

RECOMMENDED

Suggestions
Articles
View All
Topics