With the Update Tuesday on February 14, Microsoft fixes a total of 77 security vulnerabilities. These include nine vulnerabilities that Microsoft classifies as critical and two 0-day vulnerabilities.
The critical vulnerabilities affect Windows, .NET, Word and Visual Studio, among others. Microsoft offers no details on the vulnerabilities in the security update guide.
Edge Browser Updates
The most recent security update for Edge is version 110.0.1587.41 from February 9. It is based on Chromium 110.0.5481.78 and fixes several vulnerabilities in the Chromium base as well as two Edge-specific vulnerabilities. With the switch to Chromium 110, Edge no longer runs on systems with Windows 7 or 8.x - like all Chromium-based browsers.
Windows Updates
36 of the vulnerabilities fixed this month are spread across the various versions of Windows (10 and newer), for which Microsoft still offers security updates for all. Windows 7 and 8.1 are no longer mentioned in the security reports, but could be vulnerable.
The CVE-2023-23376 vulnerability is in the driver of the common log file system and is already being exploited for attacks (0-day vulnerability). The gap was discovered by Microsoft's Threat Intelligence Center (MSTIC). This could mean that it is exploited by highly professional groups.
Microsoft has fixed four critical Remote Code Execution vulnerabilities in Windows. Three of them are in the Microsoft Protected Extensible Authentication Protocol (PEAP), one in the iSCSI Discovery service (CVE-2023-21803).
Office Updates
Microsoft has fixed six vulnerabilities in its Office line of products. According to Microsoft, the CVE-2023-21715 vulnerability in Publisher is already being exploited for attacks (0-day vulnerability). It can be used to defeat Office protection against malicious macros.
A Remote Code Execution vulnerability in Word (CVE-2023-21716) is classified as critical. The reason for this classification is that the Outlook preview can serve as an attack vector. If a prepared Word file is received as a mail attachment and displayed in the Outlook preview, injected code can be executed with user rights. The manufacturer identifies the other gaps as high risk.
Exchange Server and SQL Server Updates
Microsoft has fixed four Remote Code Execution vulnerabilities in Exchange Server. The manufacturer has also closed four Remote Code Execution vulnerabilities in Microsoft SQL Server. Microsoft identifies all of the vulnerabilities mentioned here as high risk.