Headline
9 New Microsoft Bugs to Patch Now
78 new CVEs patched in this month’s batch — nearly half of which are remotely executable and three of which attackers already are exploiting.
Microsoft has issued fixes for three zero-day bugs that attackers currently are actively exploiting in the wild.
One of them, tracked as CVE-2023-21715, is a security feature bypass vulnerability in Microsoft Office that gives attackers a way to bypass Office macro policies for blocking untrusted files and content. The second is an elevation-of-privilege vulnerability in Windows Common Log File System Driver (CVE-2023-23376), which allows an attacker to gain system-level privileges. The third is CVE-2023-21823, a remote code execution (RCE) bug in the Windows Graphics Component which also enables an attacker to gain system-level access.
The Zero-Day Trio
The three zero-day vulnerabilities were part of a substantially larger set of 78 new CVEs that Microsoft disclosed in its monthly security update Tuesday. The company assessed nine of these flaws as being of “critical” severity and 66 as presenting an “important” threat to organizations.
Nearly half the vulnerabilities (38) that Microsoft disclosed this month were remote code execution (RCE) bugs — a category of flaws that security researchers consider especially serious. Elevation-of-privilege bugs represented the next highest category, followed by denial-of-service flaws and spoofing vulnerabilities.
Dustin Childs, head of threat awareness at Trend Micro’s ZDI, which reported eight of the vulnerabilities in this month’s update, says all the bugs that are under active attack represent a critical risk because threat actors are already using them.
“The Graphics Component bug (CVE-2023-21823) makes me worry on two accounts,” he says. “Since this was found by Mandiant, it was likely discovered by a team working an incident response,” Childs says. That means it’s unclear how long threat actors might have been using it. Also worrisome is that the update is available through the Microsoft store, he notes.
“People who are either disconnected or otherwise blocked from the store will need to manually apply the update,” he says.
Childs says that based on Microsoft’s description of CVE-2023-21715, the security feature bypass vulnerability in Microsoft Office sounds more like an elevation-of-privilege issue. “It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.”
Ultimately, all three bugs that attackers are actively exploiting are of concern. But a threat actor would still need to use each of these bugs in combination with some form of a code execution bug to take over a system, Childs says.
Automox recommends that organizations using Microsoft 365 Applications for Enterprise patch CVE-2023-2175 within 24 hours. “This vulnerability is an actively exploited zero-day that allows attackers to craft a file to bypass Office security features,” Automox said in a blog post. It allows attackers to “potentially execute malicious code on end-user devices if they can coerce users to download and open files on vulnerable devices via social engineering.”
New Exchange Server Threats
Satnam Narang, senior staff research engineer at Tenable, highlighted three Microsoft Exchange Server vulnerabilities (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) as issues that organizations should note because Microsoft has identified them as flaws that attackers are more likely to exploit.
“Over the last few years, Microsoft Exchange Servers around the world have been pummeled by multiple vulnerabilities, from ProxyLogon to ProxyShell, to more recently ProxyNotShell, OWASSRF and TabeShell,” Narang said in a statement.
Exchange flaws have become valuable commodities for standard sponsored threat actors in recent years, he said. “We strongly suggest organizations that rely on Microsoft Exchange Server to ensure they’ve applied the latest Cumulative Updates for Exchange Server.”
RCE Bugs in Microsoft PEAP
Researchers at Cisco’s Talos threat intelligence group, meanwhile, pointed to three RCE bugs in Microsoft Protected Extensible Authentication Protocol (PEAP) as being among the most critical bugs in Microsoft’s security update for February 2023.
The flaws, tracked as CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692, allow an authenticated attacker to try and trigger malicious code in the context of the server’s account.
“Almost all Windows versions are vulnerable, including the latest Windows 11,” the company said in a statement.
CVE-2023-21689 — one of the three critical vulnerabilities in PEAP — allows attackers to get server accounts to trigger malicious code via a network call, according to Automox.
“Since this vulnerability is very likely to be targeted and is relatively simple for attackers to exploit, we recommend patching or ensuring that PEAP is not configured as an allowed EAP type in your network policy,” the company said in its post. Affected organizations — those that have Windows clients with Network Policy Server running and have a policy that allows PEAP — should patch the flaw within 72 hours, Automox advised.
Related news
The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics. "The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023. "Carbanak returned last month through new
By Deeba Ahmed KEY FINDINGS Microsoft Threat Intelligence Team has published a new report highlighting the activities of a notorious, financially… This is a post from HackRead.com Read the original post: Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks
Hello everyone! This episode will be about Microsoft Patch Tuesday for June 2023, including vulnerabilities that were added between May and June Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. This time there […]
The June 2023 Patch Tuesday security update included fixes for a bypass for two previously addressed issues in Microsoft Exchange and a critical elevation of privilege flaw in SharePoint Server.
It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild. Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20
Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.
Hello everyone! This episode will be about Microsoft Patch Tuesday for February 2023, including vulnerabilities that were added between January and February Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239118 This month I decided to change the format a bit. Now I share my impression of Microsoft Patch Tuesday on the same Patch Tuesday day […]
Jon is back from parental leave and recapping the top security stories from late 2022 and early 2023 that totally blew by him.
Microsoft on Tuesday released security updates to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild. The updates are in addition to 22 flaws the Windows maker patched in its Chromium-based Edge browser over the past month. Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: Microsoft Tags: Apple Tags: Adobe Tags: SAP Tags: Citrix Tags: Cisco Tags: Atlassian Tags: Google Tags: Mozilla Tags: Forta Tags: OpenSSH Tags: CVE-2023-21823 Tags: CVE-2023-21715 Tags: OneNote Tags: CVE-2023-23376 Tags: CVE-2023-21706 Tags: CVE-2023-21707 Tags: CVE-2023-21529 Tags: CVE-2023-21716 Tags: CVE-2023-23378 Tags: CVE-2023-22501 Tags: CVE-2023-24486 Tags: CVE-2023-24484 Tags: CVE-2023-24484 Tags: CVE-2023-24483 Tags: CVE-2023-25136 Tags: GoAnywhere Microsoft has released updates to patch three zero-days and lots of other vulnerabilities and so have several other vendors (Read more...) The post Update now! February's Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
Windows Graphics Component Remote Code Execution Vulnerability
Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year's special Valentine's Day Patch Tuesday includes fixes for a whopping three different "zero-day" vulnerabilities that are already being used in active attacks.
Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Microsoft Publisher Security Features Bypass Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday