Microsoft releases its February security patch addressing over 50 common vulnerabilities and exposures (CVE).
The good news is, out of the 50 vulnerabilities, the tech company deemed no critical bugs in the lot.
However, experts are still recommending to not delay applying the security patch.
- Windows 10 update causing trouble especially with PC gamers
- Google fights off zero-day vulnerability in new Chrome update
- Google alerts users of four high-level vulnerabilities, urges them to update Chrome now
- Microsoft discovers new multiple vulnerabilities, Microsoft Defender the most concerning
Microsoft addresses 50 vulnerabilities in the February security patch –– none of them critical
Take note: the total 51 vulnerabilities still do not include the around 19 Chromium patches concerning the Microsoft Edge browser that was also released this month.
According to the security experts tasked with keeping this month’s tallies described the count as to be rather low in number, but it’s “in line with February patches from previous years,” says Dustin Childs of Trend Micro, in his Zero Day Initiative patch analysis.
Additionally, security solutions firm Automox counted a total of 48 vulnerabilities in this month’s Microsoft bundle. On the company’s commentary page, it is noted that the number represents a “50% drop from January’s total and a 36% reduction of the 12-month rolling average.”
What are these vulnerabilities discovered?
As the usual targets, Windows and Office applications are the affected software this month. As also summarized in Microsoft’s “Release Notes”, Windows Print Spooler is getting another patch this month too. This has been the case each month ever since the so-called “PrintNightmare” vulnerabilities were exposed last year.
The Print Spooler vulnerabilities that are getting patches this month are the following:
No critical-rates CVEs
Good thing, there are no critical-rated CVEs discovered this month. This is a very uncommon event for Microsoft as it looks like every month there’s always at least one.
However, all of the patches were addressed “Important”-rated issues, except for one “Moderate”-rated patch.
Only one CVE was already publicly known before Microsoft’s Tuesday announcement. This is the elevation-of-privilege vulnerability (CVE-2022-21989) in Windows kernels. This takes advantage of a flaw in how objects are handled in memory.
According to Microsoft’s bulletin, “a successful attack could be performed from a low privilege AppContainer,” which might have been used to elevate privileges and “execute code or access resources at a higher integrity level.” Also, the attack complexity is deemed “high.”
Furthermore, the CVE-2022-21989 vulnerability is at the proof-of-concept stage, but “details could be publicly available to threat actors,” which could increase risks for organizations.
Aside from Microsoft’s Tuesday update releases, patches were released for Adobe, Apple, and Google. Automox’s page has summarized and advised on patching a Critical Samba vulnerability (CVE-2021-44142).
Moreso, the Cybersecurity and Infrastructure Security Agency (CISA) announced on Friday, that they are adding CVE-2022-21882, a Microsoft Win32k privilege escalation vulnerability that got a patch during Microsoft’s January update, to its “Known Exploited Vulnerabilities Catalog,” since threat actors are actively exploiting it.
More tech news: