Three of these vulnerabilities have been exploited in the wild and Ivanti is encouraging customers to patch immediately. Ivanti has patches for five CVEs affecting their Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways. Windows 11, version 23H2 and Windows 10, version 22H2 will continue to receive security and optional releases.” Only cumulative monthly security updates (known as the “B” or Update Tuesday release) will continue for this version. But note per Microsoft “After February 2024, there are no more optional, non-security preview releases for Windows 11, version 22H2. Microsoft released their monthly non-security preview patch for Windows 10 22H2, Windows 11 22H2, and Windows 11 23H2 on January 23. As always, zero-day updates should be applied in a timely manner because they are known to be exploited, and it is only a matter of time before the attackers reach your systems. Microsoft said an update would address this in the future. A successful attack can crash the event logging service, which could hide additional activity on the system. Like Apple, they reported this is known to be exploited in the wild but without any details.Ī zero-day vulnerability called EventLogCrasher was reported for all versions of Windows, but Microsoft believes it is the same issue reported back in 2022. These releases addressed CVE-2024-0519, which provides out-of-bounds memory access in the V8 engine. Google released the Stable Channel updates 1.234 for Mac, 1.224 for Linux, and 1.224/225 to Windows back on January 16. Apple reported that this is known to be exploited in the wild but did not give any details. These updates included a fix for CVE-2024-23222 which allows maliciously crafted web content to conduct arbitrary code execution. Apple released updates for all the operating systems on January 22 and Safari 17.3 for Monterey and Ventura macOS. The first zero-day announcements and some software releases from Apple, Google, Ivanti, and Microsoft have hit the streets. It’s still early in the release process, but if you are curious to test out the latest server technology, it is now available. Hotpatching will provide real-time updates to the running system in memory without the need for an immediate reboot to take effect. Hot features include an option to subscribe as needed through Azure Arc (which is also getting an update), some Active Directory storage and security updates, communications security updates with SMB over Quick UDP (QUIC), and hotpatching. The new features planned for Server 2025 were announced at Microsoft Ignite last fall. Microsoft introduced the update process called ‘flighting’ for these preview builds, allowing automatic or manual in-place updates approximately every two weeks without needing a new install every time. While they haven’t given an official public availability date, it is expected to be generally available this fall if it follows the Server 2022 pattern. Microsoft announced Server 2025 is now available on the Windows Server Insider Channel. But first, there’s a preview of a new server available. That lull didn’t last long as the zero-day treadmill has started up again as I’ll discuss shortly. January’s release was a bit unusual in that we didn’t have any updates for Office 2013 and Office 2016, only the online, click-to-run versions had a single-CVE update. A relatively light release from Microsoft with 39 CVEs addressed in Windows 10, 35 in Windows 11, and surprisingly no zero-day vulnerabilities from Microsoft to start the new year. UPDATE: February 13, 14:55 ET – February 2024 Patch Tuesday is live.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |