Microsoft released fixes for 51 vulnerabilities in their February security update this week, with patches across Office, Teams, Windows, Azure Data Explorer, fixing issues such as remote code execution exploits, denial-of-service, and privilege escalation flaws. This was an incredibly rare Patch Tuesday update, as there were no fixes for ‘Critical’ vulnerabilities, with 50 being rated with ‘Important’ severity, while only one was rated as ‘Moderate’. Additionally, none of the vulnerabilities were listed as currently being under exploit.
On Tuesday, Google also released updates for Android devices. There were 37 issues resolved in the update, with vulnerabilities ranging from ‘Critical’ to ‘High’. Android said, “the most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”
Last Tuesday, Google also released 27 fixes for their Chrome browser, affecting users operating Windows, Mac and Linux systems. Out of 27 exploits, eight were rated as ‘High’ severity, while one was rated as ‘Low’. Commenting on these many updates, and covered by DataBreachToday UK and the ISMG estate, John Goodacre, director of the UKRI’s Digital Security by Design challenge and Professor of Computer Architectures at Manchester University, advised that “users need to take immediate action when software suppliers provide fixes to issues that can be exploited without user intervention or have been classified as of high or critical importance. This is especially true as hackers may already be exploiting the issue, and if not, the release of the patch can give hackers insight on how to exploit it.”
This long-standing tradition of Patch Tuesday and the industry norm of releasing monthly, if not weekly software security updates highlight the need for security-first design. John commented further on the matter saying, “until our devices are built using future by-design security technologies, such as those being developed as part of the UKRI Digital Security by Design programme, all users of software need to react to such updates at the earliest opportunity. We often hear about users delaying updates, for example in responding to the Log4j disclosure, and how they are still suffering from attacks.”