Microsoft and Apple issue patches for actively exploited flaws.
Patch Tuesday notes, February 2023.
This month’s Patch Tuesday saw fixes from Microsoft, Apple, SAP, Citrix, Mozilla, and Adobe.
Microsoft patches three zero-days.
Microsoft issued patches for seventy-seven flaws, including three zero days that were being actively exploited in the wild, BleepingComputer reports. The zero-days affect the Windows Graphics Component, Microsoft Publisher, and the Windows Common Log File System Driver.
BleepingComputer also notes that an update to Microsoft Edge is beginning to disable the Internet Explorer 11 desktop web browser. Microsoft stated, “As previously announced, the out-of-support Internet Explorer 11 (IE11) desktop application will be permanently disabled on certain versions of Windows 10 starting today, February 14, 2023.”
Apple fixes remote code execution vulnerability.
Apple has issued an emergency patch for a vulnerability affecting iOS, iPadOS, and macOS, Tom’s Guide reports. The vulnerability affects WebKit, and can lead to remote code execution on the device if the user visits a malicious webpage. Apple says it's “aware of a report that this issue may have been actively exploited.”
Patches for Adobe, Citrix, Mozilla, and SAP.
Adobe has fixed vulnerabilities affecting Photoshop, Illustrator and After Effects, SecurityWeek reports. The company stated, “This update addresses critical security vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user”
Citrix has patched four high-severity vulnerabilities affecting Citrix Workspace Apps, Virtual Apps and Desktops, according to CISA.
Mozilla has released several security patches for Firefox 110 and Firefox ESR 102.8.
SAP has issued twenty-six fixes, including one for a vulnerability that could allow an “An authenticated non-admin user with local access to a server port assigned to the SAP Host Agent Service [to] submit a specially crafted web service request with an arbitrary operating system command.”
Industry comment.
Ashley Leonard, CEO and founder of Syxsense, commented on Microsoft’s patches:
“This month, there are 8 patches that are critical and 67 that are rated Important. Microsoft Windows, Office and Office Components, Exchange, .NET Core and Visual Studio Code, 3D Builder and Print 3D have all received fixes this month. This is only the second Patch Tuesday of the year, and we have already tripled the number of weaponized threats that need to be fixed in this release. We also have 5 patches that resolve vulnerabilities with a CVSS score of more than 9 (critical), which may be surprising since we have not seen a vulnerability higher than 9.0 since last October. If you count all of the individual CVSS scores together, February has a combined CVSS score of 565.9.”