Tripwire Patch Priority Index for February 2024

Image

Tripwire's February 2024 Patch Priority Index (PPI) brings together important vulnerabilities for Microsoft, ConnectWise, and Google.

First on the patch priority list are patches for ConnectWise ScreenConnect, Microsoft Exchange Server, Microsoft Windows SmartScreen, and Microsoft Windows Internet Shortcut files. These CVEs (CVE-2024-1709, CVE-2024-21410, CVE-2024-21351, CVE-2024-21412) have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. For ConnectWise ScreenConnect, note that exploits are available in the Metasploit Framework.

Up next are patches for Microsoft Edge (Chromium-based) and Chromium that resolve use-after-free and heap buffer overflow vulnerabilities.

Next on the patch priority list this month are patches for Microsoft Word, Outlook, Office, and OneNote that resolve remove code execution and elevation of privilege vulnerabilities.

Next are patches that affect components of the core Windows operating system. These patches resolve over 35 vulnerabilities, including elevation of privilege, denial of service, and remote code execution vulnerabilities. These vulnerabilities affect core Windows, Kernel, Microsoft Message Queuing, LDAP, OLE, ActiveX Data Objects, and others.

Next up are patches for .NET that resolve 2 denial of service vulnerabilities.

Lastly, administrators should focus on server-side patches for DNS Server, Azure DevOps, Hyper-V, SQL Server, and Dynamics. These patches several issues including remote code execution, spoofing, information disclosure, cross-site scripting, and denial of service vulnerabilities.