by Microsoft has just released a major security update in the form of the perfect Valentine’s Day gift for Windows users. Patch Tuesday fell on February 14th and we all know how much cybercriminals love Windows vulnerabilities. This new security update applies fixes to a total of 76 security holes, including seven classified as critical and three zero-day vulnerabilities that Microsoft says have already been exploited in the wild. The complete list can be found in the latest Microsoft Security Update Guide.
Windows users get a nasty surprise
Patch Tuesday usually contains one or two nasty surprises, but this month there are three.
Unfortunately, they come in the form of vulnerabilities that are known to be exploited in the wild. Of those zero-days, two directly impact Windows 10 and Windows 11 users, as well as most versions of Windows Server starting in 2008. The third directly impacts Microsoft Publisher users, with a successful attack that can lead to to computer control. While, as is customary under these circumstances, there have been few technical details published by Microsoft about these zero-day threats (more will follow once all users have had the opportunity to apply updates), here’s what we do know.
CVE-2023-21823: A zero-day Windows remote code execution
CVE-2023-21823 is probably the most critical of the three zero days. Not only does this affect Windows 10 and 11 users, as well as most Windows Server versions from 2008 onwards, but it is also a remote code execution (RCE) vulnerability. This means that an attacker can run code on your machine without being logged in, just as if they were an authenticated user. Microsoft says a successful exploit means an attacker “can gain SYSTEM privileges”. Aside from that, all we know right now is that the vulnerability is in the Windows Graphic Component.
“This vulnerability is relatively simple to exploit, uses local vectors, and requires low levels of access,” said Mike Walters, Vice President of Vulnerability and Threat Research at Action1, “with no user interaction required.”
The really critical takeaway here is that this is one of those patches that doesn’t get rolled out through Windows Update, but rather through the Microsoft Store. So if you’ve turned off automatic Microsoft Store updates, they won’t install. “It’s crucial to install the necessary updates as soon as possible,” confirmed Walters.
CVE-2023-23376: A Windows zero-day elevation of privilege
CVE-2023-23376 affects virtually the same user base as CVE-2023-21823, but instead of being an RCE, it is an Elevation of Privilege (EOP) vulnerability. If successfully exploited, this type of vulnerability would typically allow an attacker with normal user access privileges to escalate them down to the system level. A vulnerability in the Windows common log file system driver, CVE-2023-23376, could do just that, according to the Microsoft Security Response Center update guide notification.
“This vulnerability is relatively simple to exploit and uses local vectors,” said Walters, “requiring only low levels of access and no user interaction.”
CVE-2023-21715: A Microsoft Publisher security feature ignores day zero
CVE-2023-21715 is an issue for Microsoft Publisher users. It allows an attacker to bypass security features, specifically blocking potentially malicious Office macros. If successful, the attacker could have these macros running in a document without any warning being flagged to the user.
It’s a big security update
“While this month’s Patch Tuesday update is smaller than the fixes released in January, Mark Lamb, CEO of HighGround.io, said: “The fact that three actively exploited Zero Days are being fixed and that 12 of the bugs are related to elevation of privileges, that means it’s still a pretty important update.” Lamb advises organizations that are able to enable Auto Patch to do so as soon as possible. Auto Patch will Lamb said, “Lighten a huge load on teams help keep systems secure and up to date.”
Meanwhile, Risk Crew CEO Richard Hollis called the new security update crucial and overdue. “The critical patches that only address remote code execution are critical given the dramatic increase in users working from home,” warned Hollis, “but the three that address zero-day CVEs are essential in today’s threat landscape. Don’t Quit work without getting these classifieds.”
All users should be aware of Windows update and apply it as soon as possible to protect themselves from applicable zero-days and other critical and important vulnerabilities.
