February 2024 Patch Tuesday forecast: Zero days are back and a new server too

UPDATE: February 13, 14:55 ET – February 2024 Patch Tuesday is live.

January 2024 Patch Tuesday is behind us. A relatively light release from Microsoft with 39 CVEs addressed in Windows 10, 35 in Windows 11, and surprisingly no zero-day vulnerabilities from Microsoft to start the new year.

January’s release was a bit unusual in that we didn’t have any updates for Office 2013 and Office 2016, only the online, click-to-run versions had a single-CVE update. That lull didn’t last long as the zero-day treadmill has started up again as I’ll discuss shortly. But first, there’s a preview of a new server available.

February 2024 Patch Tuesday forecast

Microsoft Server 2025

Microsoft announced Server 2025 is now available on the Windows Server Insider Channel. While they haven’t given an official public availability date, it is expected to be generally available this fall if it follows the Server 2022 pattern. Microsoft introduced the update process called ‘flighting’ for these preview builds, allowing automatic or manual in-place updates approximately every two weeks without needing a new install every time.

The new features planned for Server 2025 were announced at Microsoft Ignite last fall. Hot features include an option to subscribe as needed through Azure Arc (which is also getting an update), some Active Directory storage and security updates, communications security updates with SMB over Quick UDP (QUIC), and hotpatching. Hotpatching will provide real-time updates to the running system in memory without the need for an immediate reboot to take effect. It’s still early in the release process, but if you are curious to test out the latest server technology, it is now available.

Apple, Google, Ivanti, and Microsoft

The first zero-day announcements and some software releases from Apple, Google, Ivanti, and Microsoft have hit the streets. Apple released updates for all the operating systems on January 22 and Safari 17.3 for Monterey and Ventura macOS. These updates included a fix for CVE-2024-23222 which allows maliciously crafted web content to conduct arbitrary code execution. Apple reported that this is known to be exploited in the wild but did not give any details.

Google released the Stable Channel updates 120.0.6099.234 for Mac, 120.0.6099.224 for Linux, and 120.0.6099.224/225 to Windows back on January 16. These releases addressed CVE-2024-0519, which provides out-of-bounds memory access in the V8 engine. Like Apple, they reported this is known to be exploited in the wild but without any details.

A zero-day vulnerability called EventLogCrasher was reported for all versions of Windows, but Microsoft believes it is the same issue reported back in 2022. A successful attack can crash the event logging service, which could hide additional activity on the system. Microsoft said an update would address this in the future. As always, zero-day updates should be applied in a timely manner because they are known to be exploited, and it is only a matter of time before the attackers reach your systems.

Microsoft released their monthly non-security preview patch for Windows 10 22H2, Windows 11 22H2, and Windows 11 23H2 on January 23. But note per Microsoft “After February 2024, there are no more optional, non-security preview releases for Windows 11, version 22H2. Only cumulative monthly security updates (known as the “B” or Update Tuesday release) will continue for this version. Windows 11, version 23H2 and Windows 10, version 22H2 will continue to receive security and optional releases.”

Ivanti has patches for five CVEs affecting their Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways. Three of these vulnerabilities have been exploited in the wild and Ivanti is encouraging customers to patch immediately.