freshidea – stock.adobe.com
February’s Patch Tuesday update contains fixes for three previously unpublicised zero-days in Microsoft Office, Windows Graphics Component and Windows Common Log File System Driver
Microsoft has issued fixes for a total of 75 newly discovered common vulnerabilities and exposures (CVEs) in its February 2023 Patch Tuesday update, including three zero-day vulnerabilities that, while they have not previously been made public, should be prioritised for patching.
The three zero-days have all been designated of important severity, and carry CVS scores of 7.3, 7.8 and 7.8 respectively. They are all known to be exploited in the wild.
They are tracked as follows:
- CVE-2023-21715a security feature bypass vulnerability in Microsoft Publisher which could let an attacker bypass Office macro defences using a specially crafted document to run code that would otherwise be blocked. However, this can only be done by a local, authenticated user, and it affects only Publisher installations that are part of the wider Microsoft 365 Apps for Enterprise package.
- CVE-2023-21823a joint elevation of privilege (EoP) and remote code execution (RCE) vulnerability in Windows Graphics Component, which enables an attacker to gain system-level privileges. It affects Windows 10 and Server 2008 and later editions, as well as Microsoft Office for iOS, Android and Universal – in these three latter instances, it can lead to RCE, hence its dual nature.
- And CVE-2023-23376another EoP vulnerability in Windows Common Log File System Driver that again enables local privilege escalation to system-level. There does not appear to be any mature exploit code that Microsoft is aware of, however it does warrant a swift fix because it affects the vast majority of Windows hosts.
Chris Goettl, vice-president of security products at Ivantisaid the fact that the exploited vulnerabilities were all rated as being of lower severity than many of the other squashed bugs should be a valuable lesson for security teams as they go about shoring up their defences.
“Organisations are urged to expand their prioritisation beyond just vendor severity and CVSS score alone,” said Goettl, “as many exploited vulnerabilities will be less than Critical or CVSS 8.0. This emphasises the urgent need to utilise risk-based prioritisation methods in your vulnerability management programme.”
Critical bugs
The full drop also address nine critical CVEs, all leading to remote code execution, and their CVSS scores range from 7.8 to 9.8. These are:
- CVE-2023-21689 in Microsoft Protected Extensible Authentication Protocol (PEAP);
- CVE-2023-21690also in PEAP;
- CVE-2023-21692also in PEAP;
- CVE-2023-21716 in Microsoft Word;
- CVE-2023-21718 in Microsoft SQL ODBC Driver;
- CVE-2023-21803 in Windows iSCSI Discovery Service;
- CVE-2023-21808 in .NET and Visual Studio;
- CVE-2023-21815 in Visual Studio;
- And CVE-2023-23381also in Visual Studio.
Running the rule over the listed critical bugs, Dustin Childs of Trend Micro’s Zero Day Initiative programme, said that the PEAP vulnerabilities may prove less impactful as the protocol is being used less and less, but that of rather more concern is the iSCSI Discovery Service issue.
“Datacentres with storage area networks (SANs) should definitely check with their vendors to see if their SAN is impacted by the RCE vulnerability,” wrote Childs.
He said the SQL ODBC driver vulnerability, which he assessed may have a “somewhat unlikely” exploit chain associated with it, but which still warrants attention to ensure security teams get the right fix for the right edition of SQL Server. Finally, he said, the three patches covering .NET and Visual Studio seemed at face value to be simple “open-and-own” bugs, but details are thin on the ground.
Childs also noted that the full February update is slightly unusual in that fully half of the bugs patched are RCE vulnerabilities.
Adam Barnett, lead software engineer at Rapid7noted that following the end of support for Windows 8.1 – the January 2023 update was the last to cover it – security teams still running it should be on their guard moving forward.
“This is the first Patch Tuesday after the end of Extended Security Updates (ESU) for Windows 8.1. Admins responsible for Windows Server 2008 instances should note that ESU for Windows Server 2008 is now only available for instances hosted in Azure or on-premises instances hosted via Azure Stack,” he said.
“Instances of Windows Server 2008 hosted in a non-Azure context will no longer receive security updates, so will forever remain vulnerable to any new vulnerabilities, including the two zero-days covered above.”