After releasing an unusually high patchload in January 2023, the number of fixes rolled out yesterday is typical for February. Microsoft’s February Patch Tuesday features fixes for a total of 76 vulnerabilities, three of which are under active exploitation, making them zero-day bugs.
Of the 76 vulnerabilities, nine are rated critical, while 66 are rated critical by Trend Micro’s Zero Day Initiative. In terms of CVSS 3.1 ratings, five vulnerabilities scored 9.8, placing them in the critical severity category. Fifty-three flaws had a score between 7 and 8.9, making them high in severity; 17 vulnerabilities have medium severity (CVSS scores between 4 to 6.9), while one has low severity (CVSS score below 4).
37 of the 76 vulnerabilities are remote code execution (RCE) ones. 11 are elevation of privilege (EoP) flaws, two each lead to security feature bypass (SFB) and spoofing, ten allow threat actors to carry out denial of service (DoS) attacks, and eight enable information disclosure. At the same time, six are cross-site scripting (XSS) flaws.
â€œWhile this month’s Patch Tuesday update is smaller than the fixes released in January, the fact that three actively exploited Zero Days are being addressed, and that 12 of the bugs relate to the elevation of privileges, this means it’s still a pretty major update,â€ Mark Lamb, CEO of HighGround.io, told Spiceworks.
As is the case with most Patch Tuesdays, admins are advised to prioritize patching the zero-day and other critical ones first if they cannot apply all at once for fear of systems breaking down.
Richard Hollis, CEO of Risk Crew, cautioned Spiceworks, â€œThe â€˜critical’ patches addressing remote code execution alone are essential given the dramatic increase in work from home users. But the three addressing the zero-day CVEs are mission-critical in todays’ threat landscape. Don’t leave work without getting these sorted.â€
February Patch Tuesday â€” Zero Day Vulnerabilities
With a CVSS score of 7.8, CVE-2023-21823 is a high-severity flaw residing in the Windows Graphics Component. â€œCVE-2023-21823 shares similarities with previous vulnerabilities but targets a different component â€” the Windows Graphics system,â€ Mike Walters, VP of vulnerability and threat research at Action1, told Spiceworks.
â€œThis vulnerability is relatively simple to exploit, utilizes local vectors, and requires low levels of access, with no need for user interaction. All Windows operating systems starting from Windows 7 are vulnerable to this issue. Microsoft has confirmed that the vulnerability is currently being exploited in the wild, but the proof of concept has not yet been made public.â€
CVE-2023-21823 is an RCE flaw, but Microsoft noted its attack vector to be local, meaning the exploit would need to be carried out locally. It has a low attack complexity and requires low privileges and no user interaction.
Similar to CVE-2023-21823, CVE-2023-23376 (CVSS score 7.8) also has a low attack complexity and requires low privileges and no user interaction. It is an EoP flaw that exists in Windows Common Log File System Driver.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted that CVE-2023-23376 is being clubbed with another RCE bug to spread malware or ransomware. It affects Windows 10 and 11 as well as Windows Server 2008, 2012, 2016, 2019, and 2022.
â€œIdentified by the Microsoft Threat Intelligence Center, this vulnerability leverages existing system access to exploit a device actively and is a result of how the CLFS driver interacts with objects in memory on a system,â€ notedOpens a new window Peter Pflaster, Automox’s product marketing manager.
â€œTo exploit this vulnerability successfully, a bad actor would need to log in and then execute a maliciously crafted binary to elevate the privilege level. An attacker who successfully exploits this vulnerability could then gain system privileges.â€
CVE-2023-21715 (CVSS score 7.3) is an SFB bug in Microsoft Office with a low attack complexity and requires low privileges. However, it does require user interaction.
â€œSuccessful exploitation of CVE-2023-21715 allows an attacker to bypass Office macro defenses using a specially-crafted document and run code which would otherwise be blocked by policy. Only Publisher installations delivered as part of Microsoft 365 Apps for Enterprise are listed as affected,â€ experts at Rapid7 wrote in a blog postOpens a new window .
Other Critical Vulnerabilities From February Patch Tuesday
Ankit Malhotra, engineering manager at Qualys, added, â€œTwo notable areas that security professionals should look at are CVE-2023-21718 â€” this is a Microsoft SQL ODBC Driver Remote Code Execution Vulnerability â€” and the CVEs around .NET / Visual Studio Remote Code Execution Vulnerabilities (CVE-2023-21808, CVE-2023-21815, CVE-2023-23381).â€
|Exists In||CVSS Score||Type|
|CVE-2023-21689Opens a new window||Microsoft Protected Extensible Authentication Protocol (PEAP)||9.8||
|Microsoft Protected Extensible Authentication Protocol (PEAP)||9.8||RCE|
|CVE-2023-21692Opens a new window||Protected Extensible Authentication Protocol (PEAP)||9.8||
|CVE-2023-21803Opens a new window||Windows iSCSI Discovery Service||9.8||
|.NET and Visual Studio||8.4||RCE|
|CVE-2023-21718Opens a new window||Microsoft SQL ODBC Driver||7.8||
|Visual Studio Code||8.4||
Lamd highlighted the importance of the Microsoft Autopatch release last year. He told Spiceworks, â€œFortunately for many organisations, Patch Tuesday can go by without many hitches because of the auto patch feature. This makes it significantly easier to apply the updates and firmly closes the door on what was otherwise known as â€˜Exploit Wednesday’.â€
â€œFor organisations that can take advantage of Autopatch but haven’t enabled the feature yet, it is advised to do so now. The feature will alleviate a massive burden off over-stretched IT teams and will help keep systems secure and up to date.â€
Image source: Shutterstock