Microsoft fixes three zero-days in February update

freshidea – stock.adobe.com

February’s Patch Tuesday update contains fixes for three previously unpublicised zero-days in Microsoft Office, Windows Graphics Component and Windows Common Log File System Driver

Alex Scroxton

By

Published: 15 Feb 2023 13:30

Microsoft has issued fixes for a total of 75 newly discovered common vulnerabilities and exposures (CVEs) in its February 2023 Patch Tuesday update, including three zero-day vulnerabilities that, while they have not previously been made public, should be prioritised for patching.

The three zero-days have all been designated of important severity, and carry CVS scores of 7.3, 7.8 and 7.8 respectively. They are all known to be exploited in the wild.

They are tracked as follows:

  • CVE-2023-21715, a security feature bypass vulnerability in Microsoft Publisher which could let an attacker bypass Office macro defences using a specially crafted document to run code that would otherwise be blocked. However, this can only be done by a local, authenticated user, and it affects only Publisher installations that are part of the wider Microsoft 365 Apps for Enterprise package.
  • CVE-2023-21823, a joint elevation of privilege (EoP) and remote code execution (RCE) vulnerability in Windows Graphics Component, which enables an attacker to gain system-level privileges. It affects Windows 10 and Server 2008 and later editions, as well as Microsoft Office for iOS, Android and Universal – in these three latter instances, it can lead to RCE, hence its dual nature.
  • And CVE-2023-23376, another EoP vulnerability in Windows Common Log File System Driver that again enables local privilege escalation to system-level. There does not appear to be any mature exploit code that Microsoft is aware of, however it does warrant a swift fix because it affects the vast majority of Windows hosts.

Chris Goettl, vice-president of security products at Ivanti, said the fact that the exploited vulnerabilities were all rated as being of lower severity than many of the other squashed bugs should be a valuable lesson for security teams as they go about shoring up their defences.

“Organisations are urged to expand their prioritisation beyond just vendor severity and CVSS score alone,” said Goettl, “as many exploited vulnerabilities will be less than Critical or CVSS 8.0. This emphasises the urgent need to utilise risk-based prioritisation methods in your vulnerability management programme.”  

Critical bugs

The full drop also address nine critical CVEs, all leading to remote code execution, and their CVSS scores range from 7.8 to 9.8. These are:

Running the rule over the listed critical bugs, Dustin Childs of Trend Micro’s Zero Day Initiative programme, said that the PEAP vulnerabilities may prove less impactful as the protocol is being used less and less, but that of rather more concern is the iSCSI Discovery Service issue.

“Datacentres with storage area networks (SANs) should definitely check with their vendors to see if their SAN is impacted by the RCE vulnerability,” wrote Childs.

He said the SQL ODBC driver vulnerability, which he assessed may have a “somewhat unlikely” exploit chain associated with it, but which still warrants attention to ensure security teams get the right fix for the right edition of SQL Server. Finally, he said, the three patches covering .NET and Visual Studio seemed at face value to be simple “open-and-own” bugs, but details are thin on the ground.

Childs also noted that the full February update is slightly unusual in that fully half of the bugs patched are RCE vulnerabilities.

Adam Barnett, lead software engineer at Rapid7, noted that following the end of support for Windows 8.1 – the January 2023 update was the last to cover it – security teams still running it should be on their guard moving forward.

“This is the first Patch Tuesday after the end of Extended Security Updates (ESU) for Windows 8.1. Admins responsible for Windows Server 2008 instances should note that ESU for Windows Server 2008 is now only available for instances hosted in Azure or on-premises instances hosted via Azure Stack,” he said.

“Instances of Windows Server 2008 hosted in a non-Azure context will no longer receive security updates, so will forever remain vulnerable to any new vulnerabilities, including the two zero-days covered above.”

Read more on Application security and coding requirements

Read More
Erasmo Volkman

Latest

Will Spain keep finding a way? Re-ranking the World Cup teams with six games remaining – The Athletic – The New York Times

Forty-eight teams started these World Cup finals a month ago — now only six remain. Tomorrow that will be whittled down to a final four. Morocco became the first quarter-finalists to be knocked out, losing 2-0 to the seemingly unstoppable France on Thursday, before brave Belgium finally succumbed to Spain in Los Angeles on Friday

Erling Haaland is Norway’s World Cup machine — and the internet’s ‘babygirl’ – AP News

Erling Haaland stands at 6 feet, 5 inches, an intimidating force who can make fellow soccer players look tiny in stature and talent. Scoring seven goals across four World Cup matches entering Saturday, the Norwegian player has been described as a machine. But if you ask some loyal new fans, he’s also a babygirl and

Woody Marks and 5 fantasy football sleepers trending toward a much bigger role

One way to get an edge in fantasy football? By keeping a close eye on offseason chatter. Which players are impressing reporters in OTAs? Which roster battles could go a different way than the average fan expects? Which rookie is going to end up rocketing up draft boards by August? These five players are fairly

Matt Miller Announces Indefinite Leave From ESPN Amid Investigation Over Alleged Fantasy Football Fraud

On June 23, ESPN NFL Draft analyst Matt Miller revealed that he was in a car crash and was brutally injured. The accident nearly caused him to lose his life, as his arm had to be amputated to keep him alive. Now that he is making his way back after a drastic change, Miller announced

Newsletter

Don't miss

Will Spain keep finding a way? Re-ranking the World Cup teams with six games remaining – The Athletic – The New York Times

Forty-eight teams started these World Cup finals a month ago — now only six remain. Tomorrow that will be whittled down to a final four. Morocco became the first quarter-finalists to be knocked out, losing 2-0 to the seemingly unstoppable France on Thursday, before brave Belgium finally succumbed to Spain in Los Angeles on Friday

Erling Haaland is Norway’s World Cup machine — and the internet’s ‘babygirl’ – AP News

Erling Haaland stands at 6 feet, 5 inches, an intimidating force who can make fellow soccer players look tiny in stature and talent. Scoring seven goals across four World Cup matches entering Saturday, the Norwegian player has been described as a machine. But if you ask some loyal new fans, he’s also a babygirl and

Woody Marks and 5 fantasy football sleepers trending toward a much bigger role

One way to get an edge in fantasy football? By keeping a close eye on offseason chatter. Which players are impressing reporters in OTAs? Which roster battles could go a different way than the average fan expects? Which rookie is going to end up rocketing up draft boards by August? These five players are fairly

Matt Miller Announces Indefinite Leave From ESPN Amid Investigation Over Alleged Fantasy Football Fraud

On June 23, ESPN NFL Draft analyst Matt Miller revealed that he was in a car crash and was brutally injured. The accident nearly caused him to lose his life, as his arm had to be amputated to keep him alive. Now that he is making his way back after a drastic change, Miller announced

Garrett Nussmeier’s QB Brother Receives Upsetting News on Football Career

Colton Nussmeier has run out of options to fix his eligibility for 2026. On July 9, the UIL State Executive Committee voted 4–1 to reject his appeal, a decision first shared by 247Sports’ Mike Roach. With that, his plan to play his senior season at Denton Ryan is over. The door at his old school

Breitbart Business Digest: Stacking Those $250 Trump Bills

Weekly Wrap: Making It Rain with Trump Bills Welcome back to Friday! This is the Breitbart Business Digest weekly wrap, our septidialogic sweep through the economic and financial news. This week the economy failed to get indigestion from the high price of gas, Treasury Secretary Scott Bessent told us about getting fed at the Fed, Trump

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity