Microsoft Patch Tuesday, February 2023 Version – Krebs on Safety

Microsoft is sending the world an entire bunch of affection right now, within the type of patches to plug dozens of safety holes in its Home windows working methods and different software program. This 12 months’s particular Valentine’s Day Patch Tuesday consists of fixes for a whopping three totally different “zero-day” vulnerabilities which might be already being utilized in energetic assaults.

Microsoft’s safety advisories are considerably sparse with particulars in regards to the zero-day bugs. Redmond flags CVE-2023-23376 as an “Necessary” elevation of privilege vulnerability within the Home windows Frequent Log File System Driver, which is current in Home windows 10 and 11 methods, in addition to many server variations of Home windows.

“Sadly, there’s just a bit stable details about this privilege escalation,” stated Dustin Childs, head of menace consciousness at Development Micro’s Zero Day Initiative. “Microsoft does observe that the vulnerability would permit an attacker to take advantage of code as SYSTEM, which might permit them to fully take over a goal. That is probably being chained with a distant code execution bug to unfold malware or ransomware. Contemplating this was found by Microsoft’s Menace Intelligence Middle, it may imply it was utilized by superior menace actors. Both approach, be sure to take a look at and roll these fixes rapidly.”

The zero-day CVE-2023-21715 is a weak point in Microsoft Workplace that Redmond describes as a “safety function bypass vulnerability.”

“Microsoft lists this as beneath energetic exploit, however they provide no information on how widespread these exploits could also be,” Childs stated. “Primarily based on the write-up, it sounds extra like a privilege escalation than a safety function bypass, however regardless, energetic assaults in a typical enterprise software shouldn’t be ignored. It’s at all times alarming when a safety function isn’t just bypassed however exploited. Let’s hope the repair comprehensively addresses the issue.”

The third zero-day flaw already seeing exploitation is CVE-2023-21823, which is one other elevation of privilege weak point — this one within the Microsoft Home windows Graphic element. Researchers at cybersecurity forensics agency Mandiant have been credited with reporting the bug.

Kevin Breen, director of cyber menace analysis at Immersive Labs, identified that the safety bulletin for CVE-2023-21823 particularly calls out OneNote as being a susceptible element for the vulnerability.

“In current weeks, now we have seen a rise in using OneNote information as a part of targeted malware campaigns,” Breen stated. “Patches for this are delivered through the app shops and never by means of the standard codecs, so it’s essential to double verify your group’s insurance policies.”

Microsoft fastened one other Workplace vulnerability in CVE-2023-21716, which is a Microsoft Phrase bug that may result in distant code execution — even when a booby-trapped Phrase doc is merely seen within the preview pane of Microsoft Outlook. This safety gap has a CVSS (severity) rating of 9.8 out of a doable 10.

Microsoft additionally has extra valentines for organizations that depend on Microsoft Change Server to deal with e-mail. Redmond patched three Change Server flaws (CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529), all of which Microsoft says are distant code execution flaws which might be prone to be exploited.

Microsoft stated authentication is required to take advantage of these bugs, however then once more menace teams that assault Change vulnerabilities additionally are inclined to phish targets for his or her Change credentials.

Microsoft isn’t alone in dropping fixes for scary, ill-described zero-day flaws. Apple on Feb. 13 launched an replace for iOS that resolves a zero-day vulnerability in Webkit, Apple’s open supply browser engine. Johannes Ullrich on the SANS Web Storm Middle notes that along with the WebKit drawback, Apple fastened a privilege escalation situation. Each flaws are fastened in iOS 16.3.1.

“This privilege escalation situation might be used to flee the browser sandbox and acquire full system entry after executing code through the WebKit vulnerability,” Ullrich warned.

On a lighter observe (hopefully), Microsoft drove the ultimate nail within the coffin for Web Explorer 11 (IE11). In accordance with Redmond, the out-of-support IE11 desktop software was completely disabled on sure variations of Home windows 10 on February 14, 2023 by means of a Microsoft Edge replace.

“All remaining shopper and business gadgets that weren’t already redirected from IE11 to Microsoft Edge have been redirected with the Microsoft Edge replace. Customers will probably be unable to reverse the change,” Microsoft explained. “Moreover, redirection from IE11 to Microsoft Edge will probably be included as a part of all future Microsoft Edge updates. IE11 visible references, such because the IE11 icons on the Begin Menu and taskbar, will probably be eliminated by the June 2023 Home windows safety replace (“B” launch) scheduled for June 13, 2023.”

For a extra granular rundown on the updates launched right now, see the SANS Internet Storm Center roundup. If right now’s updates trigger any stability or usability points in Home windows, will probably have the lowdown on that.

Please take into account backing up your knowledge and/or imaging your system earlier than making use of any updates. And be happy to pontificate within the feedback if you happen to expertise any issues on account of these patches.