Update now! February’s Patch Tuesday tackles three zero-days
The Patch Tuesday roundup from Microsoft for February 2023 includes three zero-days. Not exactly what we had in mind for Valentine's Day.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. As far as we can tell, only two of the vulnerabilities were actually exploited in the wild.
The zero-days patched in these updates are:
Graphics component
CVE-2023-21823: A Windows Graphics Component remote code execution (RCE) vulnerability. An attacker who successfully exploited this vulnerability could execute commands with SYSTEM privileges.
Important to note here that this update comes from the Microsoft Store. So users that have disabled automatic updates for the Microsoft Store have to get the update through the Microsoft Store by following the guide titled Get updates for apps and games in Microsoft Store. Be sure to select the tab for the operating system installed on your device to search for updates.
The Microsoft update guide for this vulnerability specifically mentions OneNote for Android. At Malwarebytes, we've recently seen ASyncRAT campaigns using malicious OneNote (.one) attachments, so we hope to see that this update puts an end to that method of infection.
Microsoft Publisher
CVE-2023-21715: A Microsoft Publisher security features bypass vulnerability. An attacker who successfully exploited this vulnerability could bypass Office macro policies in Microsoft Publisher which are used to block untrusted or malicious files. The attack itself has to be carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.
Although that makes it sound hard to abuse, Microsoft says it has detected exploitation of this vulnerability.
Windows Common Log File System Driver
CVE-2023-23376: A Windows Common Log File System Driver elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This means it can be very useful in a chain of vulnerabilities, but Microsoft gives no clues about any other vulnerabilities this EoP has been used in combination with.
Other patched vulnerabilities
Exchange Server: included are patches for three remote code execution flaws that are labelled as likely to be exploited. These vulnerabilities listed as CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529 all require authentication.
Microsoft Word: an RCE vulnerability listed as CVE-2023-21716 with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a malicious email containing a Rich Text Format (RTF) payload that would allow them to gain access to execute commands within the application used to open the malicious file.
Unpatched
Microsoft has also disclosed a vulnerability listed as CVE-2023-23378 in the end-of-life (EOL) application Print 3D. EOL is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. Print 3D was deprecated along with Windows 10 version 1903.
Microsoft has confirmed that it will not release a patch to fix the vulnerability and that customers should update to the 3D Builder app.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Adobe published security updates for several of its products.
Apple released information about the new security content of macOS Ventura 13.2.1 and of iOS 16.3.1 and iPadOS 16.3.1.
Atlassian published a FAQ for CVE-2023-22501, an authentication vulnerability in Jira Service Management Server and Data Center.
Cisco released security updates for several of its products.
Citrix has released security updates to address high-severity vulnerabilities (CVE-2023-24486, CVE-2023-24484, CVE-2023-24485, and CVE-2023-24483) in Citrix Workspace Apps, Virtual Apps and Desktops.
Google released security updates for Pixel.
Mozilla has released security advisories for Firefox 110 and Firefox ESR 102.8.
Forta released a security update for the actively exploited GoAnywhere MFT zero-day flaw.
OpenSSH released details about version 9.2 which patches CVE-2023-25136.
SAP has released its February 2023 Patch Day updates.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.