freshidea - stock.adobe.com

Microsoft fixes three zero-days in February update

February’s Patch Tuesday update contains fixes for three previously unpublicised zero-days in Microsoft Office, Windows Graphics Component and Windows Common Log File System Driver

Microsoft has issued fixes for a total of 75 newly discovered common vulnerabilities and exposures (CVEs) in its February 2023 Patch Tuesday update, including three zero-day vulnerabilities that, while they have not previously been made public, should be prioritised for patching.

The three zero-days have all been designated of important severity, and carry CVS scores of 7.3, 7.8 and 7.8 respectively. They are all known to be exploited in the wild.

They are tracked as follows:

  • CVE-2023-21715, a security feature bypass vulnerability in Microsoft Publisher which could let an attacker bypass Office macro defences using a specially crafted document to run code that would otherwise be blocked. However, this can only be done by a local, authenticated user, and it affects only Publisher installations that are part of the wider Microsoft 365 Apps for Enterprise package.
  • CVE-2023-21823, a joint elevation of privilege (EoP) and remote code execution (RCE) vulnerability in Windows Graphics Component, which enables an attacker to gain system-level privileges. It affects Windows 10 and Server 2008 and later editions, as well as Microsoft Office for iOS, Android and Universal – in these three latter instances, it can lead to RCE, hence its dual nature.
  • And CVE-2023-23376, another EoP vulnerability in Windows Common Log File System Driver that again enables local privilege escalation to system-level. There does not appear to be any mature exploit code that Microsoft is aware of, however it does warrant a swift fix because it affects the vast majority of Windows hosts.

Chris Goettl, vice-president of security products at Ivanti, said the fact that the exploited vulnerabilities were all rated as being of lower severity than many of the other squashed bugs should be a valuable lesson for security teams as they go about shoring up their defences.

“Organisations are urged to expand their prioritisation beyond just vendor severity and CVSS score alone,” said Goettl, “as many exploited vulnerabilities will be less than Critical or CVSS 8.0. This emphasises the urgent need to utilise risk-based prioritisation methods in your vulnerability management programme.”  

Critical bugs

The full drop also address nine critical CVEs, all leading to remote code execution, and their CVSS scores range from 7.8 to 9.8. These are:

Running the rule over the listed critical bugs, Dustin Childs of Trend Micro’s Zero Day Initiative programme, said that the PEAP vulnerabilities may prove less impactful as the protocol is being used less and less, but that of rather more concern is the iSCSI Discovery Service issue.

“Datacentres with storage area networks (SANs) should definitely check with their vendors to see if their SAN is impacted by the RCE vulnerability,” wrote Childs.

He said the SQL ODBC driver vulnerability, which he assessed may have a “somewhat unlikely” exploit chain associated with it, but which still warrants attention to ensure security teams get the right fix for the right edition of SQL Server. Finally, he said, the three patches covering .NET and Visual Studio seemed at face value to be simple “open-and-own” bugs, but details are thin on the ground.

Childs also noted that the full February update is slightly unusual in that fully half of the bugs patched are RCE vulnerabilities.

Adam Barnett, lead software engineer at Rapid7, noted that following the end of support for Windows 8.1 – the January 2023 update was the last to cover it – security teams still running it should be on their guard moving forward.

“This is the first Patch Tuesday after the end of Extended Security Updates (ESU) for Windows 8.1. Admins responsible for Windows Server 2008 instances should note that ESU for Windows Server 2008 is now only available for instances hosted in Azure or on-premises instances hosted via Azure Stack,” he said.

“Instances of Windows Server 2008 hosted in a non-Azure context will no longer receive security updates, so will forever remain vulnerable to any new vulnerabilities, including the two zero-days covered above.”

Read more about Patch Tuesday

  • On the first Patch Tuesday of 2023, Microsoft fixed an elevation of privilege vulnerability in Windows Advanced Local Procedure Call, which has been actively exploited in the wild and may be co-opted into ransomware campaigns.
  • December’s Patch Tuesday is typically a light month for Microsoft, and this year proved no exception, but there are still several critical issues worth addressing, and two zero-days for defenders to pore over.
  • November’s Patch Tuesday fixes significantly fewer vulnerabilities of late, but includes six actively exploited zero-days, three of them of critical severity.

Read more on Application security and coding requirements