Alex - stock.adobe.com
Microsoft addressed 76 security updates for February Patch Tuesday, including three zero-days.
There were no revised or updated vulnerabilities this month. In total, Microsoft patched nine CVEs rated critical and 66 rated important. One CVE (CVE-2019-15126) issued by the Mitre Corporation details how to stop exploits of HoloLens 1 devices, which uses unsupported Broadcom hardware.
Microsoft resolves three zero-days
Microsoft fixed a zero-day (CVE-2023-21823) rated important in Universal Windows Platform apps and Windows desktop and server systems. The title of the CVE indicates this is a Windows Graphics Component vulnerability, but it also affects Microsoft Office app on Android and iOS devices. Organizations that still run Windows Server 2008/2008 R2 workloads in the Azure cloud platform as part of the Extended Support Update program will also receive a fix for this bug.
No user interaction is required to exploit the flaw. It gives the attacker system privileges for complete control Windows OS systems or the ability to perform a remote-code execution on the Android and iOS devices.
The second zero-day (CVE-2023-21715) is a Microsoft Publisher security features bypass vulnerability rated important for Microsoft 365 Apps on 32-bit and 64-bit systems. By default, these Click-to-Run applications update automatically by pulling the latest version from a network location.
Ivanti's vice president of security product management Chris Goettl said this flaw requires user interaction and could be easily done by emailing a link to a web site that hosts a specially crafted file and enticing the user to open it.
"Phishing is not very difficult. It's more of a statistical game to get an authenticated user on the targeted system to open that file," Goettl said.
After the exploit succeeds, the threat actor can bypass Microsoft Office macro policies used to block untrusted or malicious files to avoid detection and move unchecked across the organization's network.
The last zero-day is a Windows common log file system driver elevation-of-privilege vulnerability (CVE-2023-23376) rated important for Windows desktop and server systems. Exploitation of this flaw does not require user interaction and would give the attack system privileges.
This CVE and CVE-2023-21823 are examples of the types of vulnerabilities a threat actor would use as part of their breach arsenal.
"Neither of them are dangerous on their own. But they would be used in combination with some other attack," Goettl said. "One could be used to get onto the box to elevate their privileges. Then from there they could play around with admin tools to become very hard to detect."
Exchange Server bugs eliminated
Microsoft repaired four remote-code execution flaws (CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 and CVE-2023-21710), all rated important, in Exchange Server this month. The on-premises mail-server system remains a highly valuable target for hackers who, if they manage to exploit the system, will be free to move laterally throughout an organization's infrastructure.
"From what we've seen the last couple of years with the level of sophisticated attacks on Exchange, I would urge organizations to get these updates done in a timely fashion," Goettl said. "I would say you don't want to let this hang out there for longer than a month."
Multiple vulnerabilities hit SQL Server
Microsoft released nine patches to correct flaws related to its SQL database product on February Patch Tuesday:
- CVE-2023-21704: Microsoft ODBC Driver for SQL Server remote-code execution vulnerability, rated important;
- CVE-2023-21718: Microsoft SQL ODBC Driver remote-code execution vulnerability, rated critical;
- CVE-2023-21568: Microsoft SQL Server Integration Service (VS extension) remote-code execution vulnerability, rated important;
- CVE-2023-21528: Microsoft SQL Server remote-code execution vulnerability, rated important;
- CVE-2023-21705: Microsoft SQL Server remote-code execution vulnerability, rated important;
- CVE-2023-21713: Microsoft SQL Server remote-code execution vulnerability, rated important;
- CVE-2023-21685: Microsoft WDAC OLE DB provider for SQL Server remote-code execution vulnerability, rated important;
- CVE-2023-21686: Microsoft WDAC OLE DB provider for SQL Server remote-code execution vulnerability, rated important; and
- CVE-2023-21799: Microsoft WDAC OLE DB provider for SQL Server remote-code execution vulnerability, rated important.
Goettl said this was the most SQL-related security fixes in a single Patch Tuesday release since 2009. The number of patches paired with the complexity of a typical SQL Server environment will require coordination between the IT people who patch the operating system, the application owners and the SQL database administrator for a successful patch deployment.
"There could be challenges with homegrown apps that can be sensitive to updates," Goettl said. "Usually, they need some testing to confirm things are good before they put it back in production."
Critical Microsoft Word vulnerability requires prompt attention
Administrators will also want to put a Microsoft Word remote-code execution vulnerability (CVE-2023-21716) rated critical at the top of their patching priority list. The preview pane in Microsoft Outlook is an attack vector, which means the recipient only needs to view the malicious email to give the threat actor access to their system.
Microsoft lists this bug with a CVSS rating of 9.8 out of 10.
"It's definitely going to be big threat if somebody figures out how to start taking advantage of it," Goettl said.