Skip to main content
To Customer Support To Customer Support

February 2024 Security Updates
This release consists of the following 73 Microsoft CVEs:
Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations?

Azure DevOps CVE-2024-20667
Microsoft Office CVE-2024-20673
Azure Stack CVE-2024-20679
Windows Hyper-V CVE-2024-20684
Skype for Business CVE-2024-20695
Trusted Compute Base CVE-2024-21304
Microsoft Defender for Endpoint CVE-2024-21315
Microsoft Dynamics CVE-2024-21327
Microsoft Dynamics CVE-2024-21328
Azure Connected Machine Agent CVE-2024-21329
Windows Kernel CVE-2024-21338
Windows USB Serial Driver CVE-2024-21339
Windows Kernel CVE-2024-21340
Windows Kernel CVE-2024-21341
Role: DNS Server CVE-2024-21342
Windows Internet Connection Sharing (ICS) CVE-2024-21343
Windows Internet Connection Sharing (ICS) CVE-2024-21344
Windows Kernel CVE-2024-21345
Windows Win32K - ICOMP CVE-2024-21346
SQL Server CVE-2024-21347
Windows Internet Connection Sharing (ICS) CVE-2024-21348
Microsoft ActiveX CVE-2024-21349
Microsoft WDAC OLE DB provider for SQL CVE-2024-21350
Windows SmartScreen CVE-2024-21351
Microsoft WDAC OLE DB provider for SQL CVE-2024-21352
Microsoft WDAC ODBC Driver CVE-2024-21353
Windows Message Queuing CVE-2024-21354
Windows Message Queuing CVE-2024-21355
Windows LDAP - Lightweight Directory Access Protocol CVE-2024-21356
Windows Internet Connection Sharing (ICS) CVE-2024-21357
Microsoft WDAC OLE DB provider for SQL CVE-2024-21358
Microsoft WDAC OLE DB provider for SQL CVE-2024-21359
Microsoft WDAC OLE DB provider for SQL CVE-2024-21360
Microsoft WDAC OLE DB provider for SQL CVE-2024-21361
Windows Kernel CVE-2024-21362
Windows Message Queuing CVE-2024-21363
Azure Site Recovery CVE-2024-21364
Microsoft WDAC OLE DB provider for SQL CVE-2024-21365
Microsoft WDAC OLE DB provider for SQL CVE-2024-21366
Microsoft WDAC OLE DB provider for SQL CVE-2024-21367
Microsoft WDAC OLE DB provider for SQL CVE-2024-21368
Microsoft WDAC OLE DB provider for SQL CVE-2024-21369
Microsoft WDAC OLE DB provider for SQL CVE-2024-21370
Windows Kernel CVE-2024-21371
Windows OLE CVE-2024-21372
Microsoft Teams for Android CVE-2024-21374
Microsoft WDAC OLE DB provider for SQL CVE-2024-21375
Microsoft Azure Kubernetes Service CVE-2024-21376
Microsoft Windows DNS CVE-2024-21377
Microsoft Office Outlook CVE-2024-21378
Microsoft Office Word CVE-2024-21379
Microsoft Dynamics CVE-2024-21380
Azure Active Directory CVE-2024-21381
Microsoft Office OneNote CVE-2024-21384
.NET CVE-2024-21386
Microsoft Dynamics CVE-2024-21389
Microsoft WDAC OLE DB provider for SQL CVE-2024-21391
Microsoft Dynamics CVE-2024-21393
Microsoft Dynamics CVE-2024-21394
Microsoft Dynamics CVE-2024-21395
Microsoft Dynamics CVE-2024-21396
Azure File Sync CVE-2024-21397
Microsoft Edge (Chromium-based) CVE-2024-21399
Azure Active Directory CVE-2024-21401
Microsoft Office Outlook CVE-2024-21402
Microsoft Azure Kubernetes Service CVE-2024-21403
.NET CVE-2024-21404
Windows Message Queuing CVE-2024-21405
Microsoft Windows CVE-2024-21406
Microsoft Exchange Server CVE-2024-21410
Internet Shortcut Files CVE-2024-21412
Microsoft Office CVE-2024-21413
Microsoft WDAC OLE DB provider for SQL CVE-2024-21420

We are republising 6 non-Microsoft CVEs:
CNA Tag CVE FAQs? Workarounds? Mitigations?
MITRE Role: DNS Server CVE-2023-50387 No No No
Chrome Microsoft Edge (Chromium-based) CVE-2024-1059 Yes No No
Chrome Microsoft Edge (Chromium-based) CVE-2024-1060 Yes No No
Chrome Microsoft Edge (Chromium-based) CVE-2024-1077 Yes No No
Chrome Microsoft Edge (Chromium-based) CVE-2024-1283 Yes No No
Chrome Microsoft Edge (Chromium-based) CVE-2024-1284 Yes No No

Security Update Guide Blog Posts
Date Blog Post
January 11, 2022 Coming Soon: New Security Update Guide Notification System
February 9, 2021 Continuing to Listen: Good News about the Security Update Guide API
January 13, 2021 Security Update Guide Supports CVEs Assigned by Industry Partners
December 8, 2020 Security Update Guide: Let’s keep the conversation going
November 9, 2020 Vulnerability Descriptions in the New Version of the Security Update Guide

Relevant Resources

  • The new Hotpatching feature is now generally available. Please see Hotpatching feature for Windows Server Azure Edition virtual machines (VMs) for more information.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog. For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • Microsoft is improving Windows Release Notes. For more information, please see What's next for Windows release notes.
  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Customers running Windows 7, Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates. See 4522133 for more information.

Known Issues
You can see these in more detail from the Deployments tab by selecting Known Issues column in the Edit Columns panel.

For more information about Windows Known Issues, please see Windows message center (links to currently-supported versions of Windows are in the left pane).

KB Article Applies To
5034763 Windows 10, version 21H2, Windows 10, version 22H2
5034770 Windows Server 2022
5034795 Windows Server 2008 (Monthly Rollup)
5034833 Windows Server 2008 R2 (Security-only update)
5035606 Exchange Server 2019
Released: Feb 13, 2024
February 2024 Security Updates - Release Notes - Security Update Guide - Microsoft

CVEs have been published or revised in the Security Update Guide
February 14, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2021-43890

· Title: Windows AppX Installer Spoofing Vulnerability

· Version: 1.4

· Reason for revision: Updated FAQs and added clarifying information to the mitigation. This is an informational change only.

· Originally released: December 14, 2021

· Last updated: February 13, 2024

· Aggregate CVE Severity Rating: Important

CVE-2023-36019

· Title: Microsoft Power Platform Connector Spoofing Vulnerability

· Version: 1.1

· Reason for revision: Updated the mitigation to inform customers with existing OAuth 2.0 connectors that these connectors must be updated to use a per-connector redirect URI by March 29, 2024. After March 29, 2024, users will no longer be able to create connections to or use existing OAuth 2.0 custom connectors that have not been updated. For more information see https://learn.microsoft.com/en-us/connectors/custom-connectors/#21-oauth-20. This is an informational change only.

· Originally released: December 12, 2023

· Last updated: February 13, 2024

· Aggregate CVE Severity Rating: Critical

CVE-2023-36558

· Title: ASP.NET Core - Security Feature Bypass Vulnerability

· Version: 1.2

· Reason for revision: Corrected Article links in the Security Updates table. This is an informational change only.

· Originally released: November 14, 2023

· Last updated: February 13, 2024

· Aggregate CVE Severity Rating: Important

CVE-2024-0056

· Title: Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

· Version: 1.3

· Reason for revision: To address a known issue with a broken link, corrected Download links in the Security Updates table. This is an informational change only.

· Originally released: January 9, 2024

· Last updated: February 13, 2024

· Aggregate CVE Severity Rating: Important

CVE-2024-0057

· Title: NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

· Version: 3.0

· Reason for revision: In the Security Updates table, added Visual Studio 2019 version 16.11 as it is also affected by this vulnerability. In addition, added NuGet 5.11.0, NuGet 17.4.0, NuGet 17.6.0, and NuGet 17.8.0 because these versions of NuGet are affected by this vulnerability. For more information on the NuGet updates see nhttps://github.com/NuGet/Announcements/issues/71](https://github.com/NuGet/Announcements/issues/71). Microsoft strongly recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.

· Originally released: January 9, 2024

· Last updated: February 13, 2024

· Aggregate CVE Severity Rating: Important

CVE-2024-0057

· Title: NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

· Version: 3.1

· Reason for revision: To address a known issue with a broken link, corrected Download links in the Security Updates table. This is an informational change only.

· Originally released: January 9, 2024

· Last updated: February 13, 2024

· Aggregate CVE Severity Rating: Important

CVE-2024-20677

· Title: Microsoft Office Remote Code Execution Vulnerability

· Version: 2.0

· Reason for revision: In the Security Updates table, added 3D Viewer as it is affected by this vulnerability. In addition, added an FAQ to explain how customers can get the 3D Viewer update.

· Originally released: January 9, 2024

· Last updated: February 13, 2024

· Aggregate CVE Severity Rating: Important

CVE-2024-21312

· Title: .NET Framework Denial of Service Vulnerability

· Version: 1.3

· Reason for revision: To address a known issue with a broken link, corrected Download links in the Security Updates table. This is an informational change only.

· Originally released: January 9, 2024

· Last updated: February 13, 2024

· Aggregate CVE Severity Rating: Important

CVEs have been published or revised in the Security Update Guide
February 14, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-21357

· Title: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

· Version: 1.1

· Reason for revision: Updated one or more CVSS scores for the affected products and added an FAQ explaining the vector string settings. This is an informational change only.

· Originally released: February 13, 2024

· Last updated: February 14, 2024

· Aggregate CVE Severity Rating: Critical

CVE-2024-21413

· Title: Microsoft Outlook Remote Code Execution Vulnerability

· Version: 1.1

· Reason for revision: Updated the Exploited flag and Exploitability Assessment to indicate that Microsoft was aware of exploitation of this vulnerability. This is an informational change only.

· Originally released: February 13, 2024

· Last updated: February 14, 2024

Aggregate CVE Severity Rating: Critical

CVEs have been published or revised in the Security Update Guide
February 14, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-21410

· Title: Microsoft Exchange Server Elevation of Privilege Vulnerability

· Version: 1.1

· Reason for revision: Updated the Exploited flag and Exploitability Assessment to indicate that Microsoft was aware of exploitation of this vulnerability. This is an informational change only.

· Originally released: February 13, 2024

· Last updated: February 14, 2024

· Aggregate CVE Severity Rating: Critical

CVE-2024-21413

· Title: Microsoft Outlook Remote Code Execution Vulnerability

· Version: 1.2

· Reason for revision: Mistakenly updated exploited flag and exploitability assessment to indicate exploitation existed. Reverting values to no. This is an informational change only.

· Originally released: February 13, 2024

· Last updated: February 14, 2024

Aggregate CVE Severity Rating: Critical

CVEs have been published or revised in the Security Update Guide
February 15, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-21329

· Title: Azure Connected Machine Agent Elevation of Privilege Vulnerability

· Version: 2.0

· Reason for revision: In the Security Updates table, removed the Article and Download links because the update is not available for Azure Connected Machine Agent. Customers will be notified via a revision to this CVE information when the update becomes available.

· Originally released: February 13, 2024

· Last updated: February 15, 2024

· Aggregate CVE Severity Rating: Important

CVEs have been published or revised in the Security Update Guide
February 16, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-21338

· Title: Windows Kernel Elevation of Privilege Vulnerability

· Version: 1.1

· Reason for revision: Updated one or more CVSS scores for the affected products. This is an informational change only.

· Originally released: February 13, 2024

· Last updated: February 15, 2024

· Aggregate CVE Severity Rating: Important

CVE-2024-21410

· Title: Microsoft Exchange Server Elevation of Privilege Vulnerability

· Version: 1.2

· Reason for revision: Added FAQ information. This is an informational change only.

· Originally released: February 13, 2024

· Last updated: February 15, 2024

· Aggregate CVE Severity Rating: Critical

CVE-2024-21412

· Title: Internet Shortcut Files Security Feature Bypass Vulnerability

· Version: 1.1

· Reason for revision: Updated one or more CVSS scores for the affected products. This is an informational change only.

· Originally released: February 13, 2024

· Last updated: February 15, 2024

· Aggregate CVE Severity Rating: Important

CVEs have been published or revised in the Security Update Guide
February 16, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2023-36019

· Title: Microsoft Power Platform Connector Spoofing Vulnerability

· Version: 1.2

· Reason for revision: Added clarifying information to the mitigation. This is an informational change only.

· Originally released: December 12, 2023

· Last updated: February 16, 2024

· Aggregate CVE Severity Rating: Critical

CVEs have been published or revised in the Security Update Guide
February 23, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-1669

· Title: Chromium: CVE-2024-1669 Out of bounds memory access in Blink

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating:

CVE-2024-1670

· Title: Chromium: CVE-2024-1670 Use after free in Mojo

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating:

CVE-2024-1671

· Title: Chromium: CVE-2024-1671 Inappropriate implementation in Site Isolation

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating:

CVE-2024-1672

· Title: Chromium: CVE-2024-1672 Inappropriate implementation in Content Security Policy

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating:

CVE-2024-1673

· Title: Chromium: CVE-2024-1673 Use after free in Accessibility

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating:

CVE-2024-1674

· Title: Chromium: CVE-2024-1674 Inappropriate implementation in Navigation

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating:

CVE-2024-1675

· Title: Chromium: CVE-2024-1675 Insufficient policy enforcement in Download

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating:

CVE-2024-1676

· Title: Chromium: CVE-2024-1676 Inappropriate implementation in Navigation

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating:

CVE-2024-21423

· Title: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating: Low

CVE-2024-26188

· Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating: Low

CVE-2024-26192

· Title: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 23, 2024

· Last updated: February 23, 2024

· Aggregate CVE Severity Rating: Important

CVEs have been published or revised in the Security Update Guide
February 28, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-21338

· Title: Windows Kernel Elevation of Privilege Vulnerability

· Version: 1.2

· Reason for revision: Updated the Exploitability Index to 0 - Exploitation Detected and **Exploited** to Yes. This is an informational change only.

· Originally released: February 13, 2024

· Last updated: February 28, 2024

· Aggregate CVE Severity Rating: Important

CVE-2024-21626

· Title: GitHub: CVE-2024-21626 Container breakout through process.cwd trickery and leaked fds

· Version: 1.0

· Reason for revision: Microsoft is announcing that the Azure Kubernetes Service security updates released on 31 January 2024 include runc updates, which addresses this vulnerability. Microsoft recommends that customers install the 31 January 2024 updates to ensure they have the most up-to-date version of Azure Kubernetes Service.

· Originally released: February 28, 2024

· Last updated: February 28, 2024

· Aggregate CVE Severity Rating: Critical

Getting harder to keep up with these! Thanks for all the updates

CVEs have been published or revised in the Security Update Guide
February 29, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-1938

· Title: Chromium: CVE-2024-1938 Type Confusion in V8

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 29, 2024

· Last updated: February 29, 2024

· Aggregate CVE Severity Rating:

CVE-2024-1939

· Title: Chromium: CVE-2024-1939 Type Confusion in V8

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 29, 2024

· Last updated: February 29, 2024

· Aggregate CVE Severity Rating:

CVE-2024-26196

· Title: Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: February 29, 2024

· Last updated: February 29, 2024

· Aggregate CVE Severity Rating: Low

CVEs have been published or revised in the Security Update Guide
March 7, 2024

These common vulnerabilities and exposures (CVEs) were recently published or revised in the Microsoft Security Update Guide:

CVE-2024-2173

· Title: CVE-2024-2173

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 7, 2024

· Last updated: March 7, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2174

· Title: CVE-2024-2174

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 7, 2024

· Last updated: March 7, 2024

· Aggregate CVE Severity Rating:

CVE-2024-2176

· Title: CVE-2024-2176

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 7, 2024

· Last updated: March 7, 2024

· Aggregate CVE Severity Rating:

CVE-2024-26167

· Title: Microsoft Edge for Android Spoofing Vulnerability

· Version: 1.0

· Reason for revision: Information published.

· Originally released: March 7, 2024

· Last updated: March 7, 2024

· Aggregate CVE Severity Rating: Low

Reply


Terms & Conditions