Microsoft’s February Patch Tuesday update addresses a total of 73 security flaws across its software lineup, encompassing both known vulnerabilities and newly discovered zero-days. Among the vulnerabilities patched, two zero-days, CVE-2024-21351 and CVE-2024-21412, are particularly concerning as they have been actively exploited by threat actors. These vulnerabilities, if left unpatched, could lead to severe consequences, including data exposure, system unavailability, and the execution of arbitrary code.
Of the 73 vulnerabilities addressed, five are classified as Critical, 65 as Important, and three as Moderate in severity. Notably, the patch includes fixes for 24 flaws in the Chromium-based Edge browser, further enhancing its security posture. The critical vulnerabilities encompass a range of issues, from denial-of-service vulnerabilities in Windows Hyper-V to remote code execution vulnerabilities in Microsoft Exchange Server and Outlook, underscoring the diverse threat landscape facing Microsoft’s software ecosystem.
The patch also resolves CVE-2023-50387, a 24-year-old design flaw in the DNSSEC specification, codenamed KeyTrap. This vulnerability, if exploited, could lead to denial-of-service attacks by exhausting CPU resources in DNS resolvers. Additionally, the update addresses 15 remote code execution flaws in Microsoft WDAC OLE DB provider for SQL Server, mitigating the risk posed by attackers attempting to exploit these vulnerabilities via OLEDB connections to malicious SQL servers.
