Patch Tuesday: Three zero-days and nine 'Critical' RCE flaws fixed
Microsoft's February 2023 Patch Tuesday brings fixes for three actively exploited zero-day bugs, and nine "Critical" flaws out of a total of 79 vulnerabilities. Half of the total were remote code execution (RCE) bugs.
The three zero-days
The three zero-day flaws occur in Windows Graphics Component, Microsoft Office and Windows Common Log File System Driver.
"None is marked as publicly disclosed, but Microsoft has already observed in-the-wild exploitation of all three," noted Adam Barnett, lead software engineer at Rapid7.
The Windows Graphics Component RCE vulnerability is tracked as CVE-2023-21823. With a CVSS score of 7.8 out of 10, it's ranked as "Important". The bug allows an attacker to elevate their permissions to SYSTEM level. Microsoft Store will automatically apply fixes for affected customers, the company says, but those who have disabled automatic updates can install the fix manually.
A second zero-day is a security feature bypass vulnerability in Publisher in Microsoft Office, with a CVSS ranking of 7.3 (Important). CVE-2023-21715 could allow a specially crafted document to bypass Office macro policies that block untrusted files.
"An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," according to Microsoft. Only Publisher installations delivered as part of Microsoft 365 Apps for Enterprise are listed as affected.
The third, tracked as CVE-2023-23376, is a Windows Common Log File System Driver elevation of privilege vulnerability, scoring 7.8/10 (important). Once again, it could allow an attacker to gain SYSTEM privileges.
"Although Microsoft isn't necessarily aware of mature exploit code at time of publication, this is worth patching at the first opportunity, since it affects essentially all current Windows hosts," said Barnett of Rapid7.
Nine critical vulnerabilities
The following nine vulnerabilities are classified as "Critical".
Microsoft PEAP is a secure implementation of Extensible Authentication Protocol (EAP) that provides encryption and authenticated Transport Layer Security (TLS) tunnel.
"CVE-2023-21692 and CVE-2023-21690 can be exploited by sending specially crafted malicious packets, whereas CVE-2023-21689 can be used to target server accounts through network calls to execute code remotely," said Ankit Malhotra, engineering manager at Qualys. "All three vulnerabilities do not require special privileges or user interaction."
Microsoft also released security updates for Microsoft Defender, Microsoft Exchange Server, Microsoft Dynamics, 3D Builder and Sharepoint, as well as patches from Adobe to fix Critical flaws in After Effects and Illustrator, and from Apple to patch a WebKit zero-day on iOS and macOS.