Microsoft’s February 2023 Patch Tuesday fixes 75 vulnerabilities, nine of them rated critical, and three (all rated important) that are being exploited.
“This is only the second Patch Tuesday of the year, and we have already tripled the number of weaponized threats that need to be fixed in this release,” Syxsense CEO and founder Ashley Leonard told eSecurity Planet.
“We also have five patches that resolve vulnerabilities with a CVSS score of more than 9 (critical), which may be surprising since we have not seen a vulnerability higher than 9.0 since last October,” Leonard added.
Also read: Is the Answer to Vulnerabilities Patch Management as a Service?
New Exploited Vulnerabilities
The three flaws currently being exploited are:
- CVE-2023-21715, a flaw in Microsoft Publisher that could enable an attacker to bypass Office macro policies used to block untrusted files
- CVE-2023-21823, a remote code execution vulnerability in the Windows Graphics Component that could provide an attacker with SYSTEM privileges
- CVE-2023-23376, an escalation of privilege vulnerability in the Windows Common Log File System Driver that could provide an attacker with SYSTEM privileges
Regarding the second flaw listed above, Action1 vice president of vulnerability and threat research Mike Walters warned, “This vulnerability is relatively simple to exploit, utilizes local vectors, and requires low levels of access, with no need for user interaction. All Windows operating systems starting from Windows 7 are vulnerable to this issue.”
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, suggested that the third flaw listed above is likely being chained with a remote code execution bug to distribute malware or ransomware. “Considering this was discovered by Microsoft’s Threat Intelligence Center (a.k.a. MSTIC), it could mean it was used by advanced threat actors,” he wrote. “Either way, make sure you test and roll these fixes quickly.”
Exchange, Defender Flaws Get Attention
Childs also highlighted CVE-2023-21529, a remote code execution vulnerability in Microsoft Exchange server, which was uncovered by the Zero Day Initiative’s Piotr Bazydło.
“While this vulnerability does require authentication, it allows any user with access to the Exchange PowerShell backend to take over an Exchange server,” he wrote. “I know applying Exchange patches isn’t fun and usually requires weekend downtime, but these updates should still be considered a priority.”
Sophos senior threat researcher Matt Wixey also pointed to CVE-2023-21809, a security feature bypass vulnerability in Microsoft Defender. “If successfully exploited, an attacker may be able to bypass the Windows Defender Attack Surface Reduction (ASR) blocking feature,” he wrote. “However, to exploit it, an attacker would need to trick a user into running malicious files.”
Also read: Cybersecurity Agencies Release Guidance for PowerShell Security
Critical Word Vulnerability
SANS dean of research Johannes B. Ullrich highlighted two additional flaws worth noting. The first, CVE-2023-21803, is a critical remote code execution vulnerability in the Windows iSCSI Discovery Service. “Likely not the most common issue to be patched this month, but something that may easily be missed,” he wrote. “This vulnerability, if exploited, could be used for lateral movement.”
The second, CVE-2023-21716, is a critical remote code execution flaw in Microsoft Word. “Word is always a great target as it offers a large attack surface,” Ullrich wrote. “No known exploit for this vulnerability, but its CVSS score of 9.8 will attract some attention. The rating of ‘critical’ implies that it is not necessary to open the document to trigger the vulnerability.”