Microsoft Tuesday Update (February 14)
Foreword
Yesterday Microsoft gave the world a whole load of love in the form of patches to plug dozens of security holes in their operating systems Windows and other software. A special Valentine’s Day patch, released this year on Tuesday, includes fixes for as many as three different zero-day vulnerabilities that are already actively exploited in attacks.
Microsoft’s security advisory is somewhat sparse in details about zero-day bugs. Redmond notes CVE-2023-23376 as a “major” privilege escalation vulnerability in the Windows Common Log file system driver, which is present in Windows 10 and 11 systems, as well as in many server versions of Windows.
“Unfortunately, there is very little reliable information about this privilege escalation,” said Dustin Childs, Threat Awareness Lead at Trend Micro’s initiative.
“Microsoft does note that the vulnerability would allow an attacker to use the code as a system, allowing them to completely take over the target. This is most likely due to a remote code execution error to spread malware or ransomware. Given that this was detected by the Microsoft Threat Intelligence Center, this could mean that it was being used by advanced threat contributors. In any case, make sure you quickly test and implement these fixes.”
Fixing vulnerabilities
CVE-2023-21715 Day Zero is a weakness in Microsoft Office that Redmond describes as a “security feature bypass vulnerability.”
“Microsoft lists this as an active exploit, but they don’t provide any information about how widespread these exploits might be,” Childs said.
“From the description, this sounds more like privilege escalation than a security feature bypass, but despite this, active attacks in a typical enterprise application should not be ignored. Always alarming when a security feature is not only bypassed, but used. Let’s hope that the fix comprehensively solves the problem.”
The third disadvantage of day zero, which is already in use, is CVE-2023-21823, which is another flaw with elevation of privilege – this time in the Microsoft Windows graphical component. Researchers at the cybersecurity forensics firm Mandiant are credited with reporting the error.
Kevin Brin, Director of Cyber Threat Research at Immersive Labsnoted that the security bulletin for CVE-2023-21823 specifically names OneNote as the affected component for this vulnerability.
“In recent weeks, we have seen an increase in the use of OneNote files in targeted malware distribution campaigns,” Brin said.
“The fixes for this are shipped through the app stores, not the regular formats, so it’s important to double check your organization’s policy.”
Microsoft has fixed another Office vulnerability in CVE-2023-21716, which is a Microsoft Word bug that can lead to remote code execution – even if the mined Word document is simply viewed in the Microsoft Outlook Preview pane. This security hole has a CVSS (importance) rating of 9.8 out of 10 possible.
Microsoft also has additional valentines for organizations that rely on Microsoft Exchange Server to process email. Redmond fixed three Exchange server bugs (CVE-2023-21706, CVE-2023-21707 And CVE-2023-21529), all of which Microsoft says are remote code execution bugs that are likely to be exploited.
Microsoft has stated that authentication is required to exploit these bugs, but again, threat groups that attack Exchange vulnerabilities also tend to phish targets to obtain their Exchange credentials.
Microsoft is not alone in refusing to fix frightening, poorly described zero-day flaws. On February 13, Apple released an iOS update that fixes a zero-day vulnerability in Webkit, Apple’s open source browser engine. Johannes Ulrich of the SANS Internet Storm Center notes that in addition to the WebKit issue, Apple has fixed a privilege escalation issue. Both shortcomings are fixed in iOS 16.3.1.
“This privilege escalation issue could be exploited to exit the browser sandbox and gain full system access after executing code through a WebKit vulnerability,” Ulrich warned.
RIP IE11
On a lighter note (hopefully), Microsoft has hammered the final nail into the coffin of Internet Explorer 11 (IE11). According to Redmond, the out-of-support IE11 desktop app has been permanently disabled in some versions. Windows 10 February 14, 2023 with an update to Microsoft Edge.
“All remaining consumer and commercial devices that have not yet been redirected from IE11 to Microsoft Edge have been redirected with the Microsoft Edge update. Users will not be able to undo this change,” Microsoft explained.
“In addition, redirection from IE11 to Microsoft Edge will be enabled as part of all future Microsoft Edge updates. Visual references to IE11, such as the IE11 icons in the Start menu and taskbar, will be removed in the June 2023 Windows Security Update (Release “B”) scheduled for June 13, 2023.”
For a more detailed description of the updates released today, see the SANS Internet Storm Center overview. If today’s updates cause any stability or usability issues in Windows, AskWoody.com most likely, you will have ins and outs about this.
Conclusion
Consider backing up your data and/or imaging your system before applying any updates. And feel free to comment if you run into any issues as a result of these fixes.
On my own behalf, I’ll add that a timely update of the system can save her life, but on some machines some errors may appear up to her complete incapacity, so backups are our everything!
The soft ones have Windows Insider Program (aka beta) for both those who just want to feel the new features and the raw system, and for information security specialists who want to test the system for resistance to various things.
