Microsoft Patch Tuesday, February 2023 patches 75 vulnerabilities including three zero-day vulnerabilities 9 critical, 66 important)
Microsoft Patch Tuesday, February 2023 patches 75 vulnerabilities including three zero-day vulnerabilities 9 critical, 66 important)
Number of CVE by type:
- 12 Elevation of Privilege Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
- 36 Remote Code Execution Vulnerabilities
- 7 Information Disclosure Vulnerabilities
- 10 Denial of Service Vulnerabilities
- 8 Spoofing Vulnerabilities
This list does not include the Microsoft Edge vulnerabilities disclosed earlier this month.
Sources
Microsoft MSRC - https://msrc.microsoft.com/update-guide/releaseNote/2023
Risks
This month’s Patch Tuesday includes 9 critical and 66 important vulnerabilities for a wide range of Microsoft products and technologies. Microsoft reports three vulnerabilities as zero-day vulnerabilities that are actively exploited: CVE-2023-21715 (Microsoft Publisher Security Features Bypass Vulnerability), CVE-2023-21823 (Windows Graphics Component Remote Code Execution), and CVE-2023-23376 (Windows Common Log File System Driver Elevation of Privilege Vulnerability).
Microsoft fixed a critical issue in Microsoft Word (CVE-2023-21716) which allows an attacker to craft an email RTF payload that executes commands in the application used to open the malicious file. The payload will execute when viewing the attachment in the preview pane of Microsoft Outlook.
This month's Patch Tuesday includes three vulnerabilities for Microsoft Exchange: CVE 2023 21529, CVE-2023-21706, and CVE-2023-21707. These vulnerabilities are all listed as: "Microsoft Exchange Server Remote Code Execution." Microsoft stated that authentication is required to exploit these vulnerabilities.
Implementing patch management for Microsoft Exchange servers is highly recommended. Microsoft Exchange servers are high-value targets for threat actors. The CCB warned its constituency multiple times in the last two years for actively exploited vulnerabilities targeting Microsoft Exchange server.
- March 2021: [ProxyLogon](https://cert.be/en/multiple-critical-vulnerabilities-microsoft-exchange)
- August 2021: [ProxyShell](https://cert.be/en/microsoft-exchange-servers-actively-scanned-proxyshel...)
- November 2022: [ProxyNotShell](https://cert.be/en/two-zero-day-vulnerabilities-microsoft-exchange-serve...)
- December 2022: [OWASSRF](https://cert.be/en/warning-ransomware-actors-are-actively-exploiting-new...)
- January 2023: [January 2023 Patch Tuesday](https://cert.be/en/warning-microsoft-patch-tuesday-january-2023-patches-...)
Description
CVE-2023-21715 - Microsoft Publisher Security Features Bypass Vulnerability
A zero-day vulnerability in Microsoft Publisher allows malicious macros to execute without warning the user. This vulnerability bypasses Office macro restrictions that block untrusted or malicious files.
This vulnerability could be exploited by an attacker by tricking a user into opening a malicious publisher file. This vulnerability is actively exploited according to Microsoft.
CVE-2023-21823 - Windows Graphics Component Remote Code Execution Vulnerability
This zero-day vulnerability allows an attacker to execute commands using SYSTEM level privileges. This vulnerability is actively exploited according to Microsoft.
NOTE: This update is delivered through the Microsoft Store instead of Windows Update. If you have disabled the Microsoft Store, this update will not be automatically installed.
CVE-2023-23376 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
This zero-day vulnerability allows an attacker to gain SYSTEM privileges. This vulnerability is actively exploited according to Microsoft.
CVE-2023-21716 - Microsoft Word Remote Code Execution Vulnerability
A vulnerability in Microsoft Word which allows an attacker to craft an email RTF payload that executes commands in the application used to open the malicious file. The payload will execute when viewing the attachment in the preview pane of Microsoft Outlook.
CVE-2023-21529 / CVE-2023-21706 / CVE-2023-21707 - Microsoft Exchange Server Remote Code Execution Vulnerability
These vulnerabilities allow a remote authenticated attacker to perform remote code execution through a network call. Authenticated attacks on Exchange servers are aften exploited using phished or leaked credentials.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends Windows system administrators to install updates for vulnerable systems with the highest priority, after thorough testing.
References
Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft- february-2023-patch-tuesday-fixes-3-exploited-zero-days-77-flaws/
Krebs on security - https://krebsonsecurity.com/2023/02/microsoft-patch-tuesday- february-2023-edition/
Tenable - https://www.tenable.com/blog/microsofts-february-2023-patch- tuesday-addresses-75-cves-cve-2023