Feb 15, 2023Ravie Lakshmanan
Microsoft on Tuesday released security updates[1]
to address 75 flaws spanning its product portfolio, three of which
have come under active exploitation in the wild.
The updates are in addition to 22 flaws the Windows maker
patched[2]
in its Chromium-based Edge browser over the past month.
Of the 75 vulnerabilities, nine are rated Critical and 66 are
rated Important in severity. 37 out of 75 bugs are classified as
remote code execution (RCE) flaws. The three zero-days of note that
have been exploited are as follows –
- CVE-2023-21715[3] (CVSS score: 7.3) –
Microsoft Office Security Feature Bypass Vulnerability - CVE-2023-21823[4] (CVSS score: 7.8) –
Windows Graphics Component Elevation of Privilege
Vulnerability - CVE-2023-23376[5] (CVSS score: 7.8) –
Windows Common Log File System (CLFS) Driver Elevation of Privilege
Vulnerability
“The attack itself is carried out locally by a user with
authentication to the targeted system,” Microsoft said in advisory
for CVE-2023-21715.
“An authenticated attacker could exploit the vulnerability by
convincing a victim, through social engineering, to download and
open a specially crafted file from a website which could lead to a
local attack on the victim computer.”
Successful exploitation of the above flaws could enable an
adversary to bypass Office macro policies used to block untrusted
or malicious files or gain SYSTEM privileges.
CVE-2023-23376 is also the third actively exploited zero-day
flaw in the CLFS component after CVE-2022-24521[6]
and CVE-2022-37969[7]
(CVSS scores: 7.8), which were addressed by Microsoft in April and
September 2022.
“The Windows Common Log File System Driver is a component of the
Windows operating system that manages and maintains a
high-performance, transaction-based log file system,” Immersive
Labs’ Nikolas Cemerikic said.
“It is an essential component of the Windows operating system,
and any vulnerabilities in this driver could have significant
implications for the security and reliability of the system.”
It’s worth noting that Microsoft OneNote for Android is
vulnerable to CVE-2023-21823, and with the note-taking service
increasingly emerging as a conduit for delivering malware[8], it’s crucial that users
apply the fixes.
Also addressed by Microsoft are multiple RCE defects in Exchange
Server, ODBC Driver, PostScript Printer Driver, and SQL Server as
well as denial-of-service (DoS) issues impacting Windows iSCSI
Service and Windows Secure Channel.
Three of the Exchange Server flaws are classified by the company
as “Exploitation More Likely,” although successful exploitation
requires the attacker to be already authenticated.
Exchange servers have proven[9]
to be high-value targets[10] in recent years as they
can enable unauthorized access to sensitive information, or
facilitate Business Email Compromise (BEC) attacks.
Software Patches from Other Vendors
Besides Microsoft, security updates have also been released by
other vendors over the past few weeks to rectify several
vulnerabilities, including —
Found this article interesting? Follow us on Twitter [11] and LinkedIn[12] to read more exclusive
content we post.
References
- ^
security
updates (msrc.microsoft.com) - ^
patched
(learn.microsoft.com) - ^
CVE-2023-21715
(msrc.microsoft.com) - ^
CVE-2023-21823
(msrc.microsoft.com) - ^
CVE-2023-23376
(msrc.microsoft.com) - ^
CVE-2022-24521
(thehackernews.com) - ^
CVE-2022-37969
(thehackernews.com) - ^
conduit
for delivering malware (thehackernews.com) - ^
proven
(thehackernews.com) - ^
high-value targets
(www.tenable.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/02/update-now-microsoft-releases-patches.html