Microsoft mends Windows zero-day on April Patch Tuesday

Microsoft squashes Windows bug exploited in the wild

A Windows zero-day that affects Windows desktop and server systems, including Windows Server 2008/2008 R2, should be addressed quickly by administrators. CVE-2023-28252 is a Windows Common Log File System Driver elevation-of-privilege vulnerability rated important.

An attacker does not need user interaction to take advantage of this bug, just authentication to the network. If the attacker exploits the vulnerability, they could take system-level privileges on the machine, which would give wide-ranging access across the infrastructure of the affected organization.

A Windows vulnerability from 2013 reappears

A bug from 2013 re-emerged in Microsoft's security update releases in January and again this month, which will require administrators to make manual adjustments if they decide to implement the fix.

The WinVerifyTrust Signature Validation (CVE-2013-3900) vulnerability, rated important, affects supported Windows desktop and server systems. Microsoft originally disclosed this vulnerability on Dec. 10, 2013.

Microsoft notified customers in January of the steps needed to mitigate this vulnerability for supported Windows systems and then issued an update for April Patch Tuesday that added several Server Core installations to the affected products list.

If the administrator applies the fix via a Windows registry setting, then this would enable stricter Authenticode signature verification for greater scrutiny of digital signatures in applications.

Chris Goettl

Chris Goettl, Ivanti vice president of security product management, said Microsoft made the correction optional because this heightened protection could increase the number of false positives reported.

"There could be some edge cases where it could be abused in some environments, but the risk is low. Otherwise Microsoft would have taken a stronger hand with it a while back," he said.

Another patch from the past materializes

Microsoft issued an April Patch Tuesday security update to correct a curl remote-code execution flaw (CVE-2022-43552), rated important, first reported Feb. 9. The bug in the open-source tool affects several Microsoft products, including Windows server and desktop systems, and version 2.0 of CBL-Mariner, a Linux OS used in Microsoft cloud and edge products.

In March Patch Tuesday, Microsoft reported a fix was in development and indicated it found more affected products that use the data-transfer tool. Curl version 7.87.0 corrects the vulnerability. After applying the patch on Windows systems, administrators must undo mitigations that blocked curl execution to resume using the tool.

Fix for Windows domain controllers delayed

Administrators who were bracing for an April Patch Tuesday update related to a Windows Kerberos elevation-of-privilege vulnerability have more time to prepare for changes to their domain controllers.

Microsoft originally planned to implement the third deployment phase of its multi-step rollout of Kerberos protocol changes on April 11. The Windows Message Center still shows the original deployment date, but updated Knowledge Base article KB5020805 indicates the change moved to June 13. Microsoft did not disclose the reason for the delay.

The Kerberos changes stem from the CVE-2022-37967 vulnerability first disclosed on Nov. 8, 2022.

The third phase of this security-hardening procedure will not allow deactivation of Privileged Attribute Certificate signatures.

Administrators now have until Oct. 10 before Microsoft implements what it calls "full enforcement phase" to fully mitigate the issue by blocking vulnerable connections from non-compliant devices.

Other security updates of note for April Patch Tuesday

While most of this month's patches fall under the Windows cumulative update umbrella and don't require much effort to deploy, administrators should pay close attention to a Raw Image Extension remote-code execution vulnerability (CVE-2023-28291), rated critical, for Windows 10 and 11 systems.

This app installs from the Microsoft Store. If administrators set up desktop systems to update Microsoft Store apps automatically, then the issue will resolve itself. But in a disconnected environment or if the Microsoft Store automatic update settings are not enabled, then administrators will have to take extra steps to deploy the patch.

On an unpatched system, an attacker could exploit the vulnerability after logging into the system and running a specially crafted application to overtake the machine or enticing a user to open the specially crafted application through email or instant message.

Administrators will also have to handle four bugs related to SQL Server:

• CVE-2023-23375. Microsoft Open Database Connectivity (ODBC) and Object Linking and Embedding Database (OLE DB) remote-code execution vulnerability affects the Microsoft ODBC driver for SQL Server.
• CVE-2023-28304. Microsoft ODBC and OLE DB remote-code execution vulnerability affects the Microsoft ODBC driver for SQL Server.
• CVE-2023-23384. Microsoft SQL Server remote-code execution vulnerability affects supported Microsoft SQL Server systems; and
• CVE-2023-28275. Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server remote-code execution vulnerability affects Windows desktop and server systems.

It's the end of the road for multiple Microsoft products

Several Microsoft products with the 2013 designation reached end-of-life on April 11, most notably Exchange Server 2013. Microsoft will no longer support this software, which encompasses technical help, software fixes and security updates.

Organizations still on Exchange 2013 can upgrade to the supported Exchange 2016 or Exchange 2019. The latter is Microsoft's recommendation for organizations that want or need to maintain an on-premises mail server platform.

The other retired products include Office 2013 apps, SharePoint Server 2013, SharePoint Foundation 2013, Lync Server 2013 and Project Server 2013.

Most Microsoft products will continue to function after the end of support. But enterprises run the risk of exposure to attack without the protection from the monthly security updates.

Microsoft unveiled one wrinkle to this practice in March. The Exchange Team posted a blog indicating that the company would take steps to prevent email from unsupported and unpatched Exchange Servers to the Exchange Online hosted email service.

"We don't want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering Exchange Online by putting in place safeguards and standards for email entering our cloud service. We also want to get the attention of customers who have unsupported or unpatched Exchange servers and encourage them to secure their on-premises environments," the Exchange team wrote in its blog.

Microsoft will use a transport-based enforcement system to report these nonconforming Exchange Server systems to the admin, which will lead to throttling email and eventually blocking messages from the on-premises system. Microsoft started this practice with legacy Exchange Server 2007 systems and plans to ban email from Exchange 2010 and Exchange 2013 systems over time. If Microsoft detects email from a supported -- but unpatched -- Exchange 2016 or Exchange 2019 system, those messages will fall under the same enforcement policy.

"Exchange was great years ago, but it is an archaic and very complicated beast. There are some very sophisticated threat actors who know the ins and outs of Exchange. They know how to find the next vulnerability. Anybody who chooses to continue using Exchange Server needs to reassess their risk-versus-reward model," Goettl said.