Other official information and services: www.belgium.be

Microsoft Patch Tuesday, February 2023 patches 75 vulnerabilities including three zero-day vulnerabilities 9 critical, 66 important)

Reference:

Advisory #Advisory #2023-18

Version:

1.0

Affected software:

.NET and Visual Studio

.NET Framework

3D Builder

Azure App Service

Azure DevOps

Azure Machine Learning

HoloLens

Internet Storage Name Service

Microsoft Defender for Endpoint

Microsoft Defender for IoT

Microsoft Dynamics

Microsoft Edge (Chromium-based)

Microsoft Exchange Server

Microsoft Graphics Component

Microsoft Office

Microsoft Office OneNote

Microsoft Office Publisher

Microsoft Office SharePoint

Microsoft Office Word

Microsoft PostScript Printer Driver

Microsoft WDAC OLE DB provider for SQL

Microsoft Windows Codecs Library

Power BI

SQL Server

Visual Studio

Windows Active Directory

Windows ALPC

Windows Common Log File System Driver

Windows Cryptographic Services

Windows Distributed File System (DFS)

Windows Fax and Scan Service

Windows HTTP.sys

Windows Installer

Windows iSCSI

Windows Kerberos

Windows MSHTML Platform

Windows ODBC Driver

Windows Protected EAP (PEAP)

Windows SChannel

Windows Win32K

Type:

Several types, ranging from denial of service to privilege escalation and remote code execution.

CVE/CVSS:

Microsoft Patch Tuesday, February 2023 patches 75 vulnerabilities including three zero-day vulnerabilities 9 critical, 66 important)

Number of CVE by type:

12 Elevation of Privilege Vulnerabilities
2 Security Feature Bypass Vulnerabilities
36 Remote Code Execution Vulnerabilities
7 Information Disclosure Vulnerabilities
10 Denial of Service Vulnerabilities
8 Spoofing Vulnerabilities

This list does not include the Microsoft Edge vulnerabilities disclosed earlier this month.

Date:

15/02/2023

Sources

Microsoft MSRC - https://msrc.microsoft.com/update-guide/releaseNote/2023

Risks

This month’s Patch Tuesday includes 9 critical and 66 important vulnerabilities for a wide range of Microsoft products and technologies. Microsoft reports three vulnerabilities as zero-day vulnerabilities that are actively exploited: CVE-2023-21715 (Microsoft Publisher Security Features Bypass Vulnerability), CVE-2023-21823 (Windows Graphics Component Remote Code Execution), and CVE-2023-23376 (Windows Common Log File System Driver Elevation of Privilege Vulnerability).

Microsoft fixed a critical issue in Microsoft Word (CVE-2023-21716) which allows an attacker to craft an email RTF payload that executes commands in the application used to open the malicious file. The payload will execute when viewing the attachment in the preview pane of Microsoft Outlook.

This month's Patch Tuesday includes three vulnerabilities for Microsoft Exchange: CVE 2023 21529, CVE-2023-21706, and CVE-2023-21707. These vulnerabilities are all listed as: "Microsoft Exchange Server Remote Code Execution." Microsoft stated that authentication is required to exploit these vulnerabilities.

Implementing patch management for Microsoft Exchange servers is highly recommended. Microsoft Exchange servers are high-value targets for threat actors. The CCB warned its constituency multiple times in the last two years for actively exploited vulnerabilities targeting Microsoft Exchange server.

March 2021: [ProxyLogon](https://cert.be/en/multiple-critical-vulnerabilities-microsoft-exchange)
August 2021: [ProxyShell](https://cert.be/en/microsoft-exchange-servers-actively-scanned-proxyshel...)
November 2022: [ProxyNotShell](https://cert.be/en/two-zero-day-vulnerabilities-microsoft-exchange-serve...)
December 2022: [OWASSRF](https://cert.be/en/warning-ransomware-actors-are-actively-exploiting-new...)
January 2023: [January 2023 Patch Tuesday](https://cert.be/en/warning-microsoft-patch-tuesday-january-2023-patches-...)

Description

CVE-2023-21715 - Microsoft Publisher Security Features Bypass Vulnerability

A zero-day vulnerability in Microsoft Publisher allows malicious macros to execute without warning the user. This vulnerability bypasses Office macro restrictions that block untrusted or malicious files.

This vulnerability could be exploited by an attacker by tricking a user into opening a malicious publisher file. This vulnerability is actively exploited according to Microsoft.

CVE-2023-21823 - Windows Graphics Component Remote Code Execution Vulnerability

This zero-day vulnerability allows an attacker to execute commands using SYSTEM level privileges. This vulnerability is actively exploited according to Microsoft.

NOTE: This update is delivered through the Microsoft Store instead of Windows Update. If you have disabled the Microsoft Store, this update will not be automatically installed.

CVE-2023-23376 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

This zero-day vulnerability allows an attacker to gain SYSTEM privileges. This vulnerability is actively exploited according to Microsoft.

CVE-2023-21716 - Microsoft Word Remote Code Execution Vulnerability

A vulnerability in Microsoft Word which allows an attacker to craft an email RTF payload that executes commands in the application used to open the malicious file. The payload will execute when viewing the attachment in the preview pane of Microsoft Outlook.

CVE-2023-21529 / CVE-2023-21706 / CVE-2023-21707 - Microsoft Exchange Server Remote Code Execution Vulnerability

These vulnerabilities allow a remote authenticated attacker to perform remote code execution through a network call. Authenticated attacks on Exchange servers are aften exploited using phished or leaked credentials.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to install updates for vulnerable systems with the highest priority, after thorough testing.

References

Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft- february-2023-patch-tuesday-fixes-3-exploited-zero-days-77-flaws/

Krebs on security - https://krebsonsecurity.com/2023/02/microsoft-patch-tuesday- february-2023-edition/

Tenable - https://www.tenable.com/blog/microsofts-february-2023-patch- tuesday-addresses-75-cves-cve-2023