Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.
Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver, which is present in Windows 10 and 11 systems, as well as many server versions of Windows.
“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with a remote code execution bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center, it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”
The zero-day CVE-2023-21715 is a weakness in Microsoft Office that Redmond describes as a “security feature bypass vulnerability.”
“Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be,” Childs said. “Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.”
The third zero-day flaw already seeing exploitation is CVE-2023-21823, which is another elevation of privilege weakness — this one in the Microsoft Windows Graphic component. Researchers at cybersecurity forensics firm Mandiant were credited with reporting the bug.
Kevin Breen, director of cyber threat research at Immersive Labs, pointed out that the security bulletin for CVE-2023-21823 specifically calls out OneNote as being a vulnerable component for the vulnerability.
“In recent weeks, we have seen an increase in the use of OneNote files as part of targeted malware campaigns,” Breen said. “Patches for this are delivered via the app stores and not through the typical formats, so it’s important to double check your organization’s policies.”
Microsoft fixed another Office vulnerability in CVE-2023-21716, which is a Microsoft Word bug that can lead to remote code execution — even if a booby-trapped Word document is merely viewed in the preview pane of Microsoft Outlook. This security hole has a CVSS (severity) score of 9.8 out of a possible 10.
Microsoft also has more valentines for organizations that rely on Microsoft Exchange Server to handle email. Redmond patched three Exchange Server flaws (CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529), all of which Microsoft says are remote code execution flaws that are likely to be exploited.
Microsoft said authentication is required to exploit these bugs, but then again threat groups that attack Exchange vulnerabilities also tend to phish targets for their Exchange credentials.
Microsoft isn’t alone in dropping fixes for scary, ill-described zero-day flaws. Apple on Feb. 13 released an update for iOS that resolves a zero-day vulnerability in Webkit, Apple’s open source browser engine. Johannes Ullrich at the SANS Internet Storm Center notes that in addition to the WebKit problem, Apple fixed a privilege escalation issue. Both flaws are fixed in iOS 16.3.1.
“This privilege escalation issue could be used to escape the browser sandbox and gain full system access after executing code via the WebKit vulnerability,” Ullrich warned.
On a lighter note (hopefully), Microsoft drove the final nail in the coffin for Internet Explorer 11 (IE11). According to Redmond, the out-of-support IE11 desktop application was permanently disabled on certain versions of Windows 10 on February 14, 2023 through a Microsoft Edge update.
“All remaining consumer and commercial devices that were not already redirected from IE11 to Microsoft Edge were redirected with the Microsoft Edge update. Users will be unable to reverse the change,” Microsoft explained. “Additionally, redirection from IE11 to Microsoft Edge will be included as part of all future Microsoft Edge updates. IE11 visual references, such as the IE11 icons on the Start Menu and taskbar, will be removed by the June 2023 Windows security update (“B” release) scheduled for June 13, 2023.”
For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
Interesting about disabling IE11. I had been using a very old version of Quickbooks, which only works if IE is installed. (I discovered this after I’d deleted IE from my computer and tried to use Quickbooks, so then had to reinstall it.) It will be interesting to see if it will continue to work, of if I’ll have to unpack a legacy computer to use that version of Quickbooks…..
Three Windows ten machines updated, no problems
Thank you!
Excellent! Thanks for the feedback.
Once again, the patches ignored the request to let me choose when to apply them because I have my network set to metered mode. Yes, I understand the criticality of the issues, but that does not mean that need to have my work interrupted because Microsoft thinks I don’t know better.
We received multiple onenote.one files that Defender did not detect as malicious. But they were clearly scam emails. So I saved one as a .txt and inspected – PowerShell script, but defender didn’t’ flag it at all, so we made an email rule Delete all emails with OneNote attachments – to compensate for MS lack of diligence. Just went look at the holding folder – oh detects it now, and sent an alert. Pathetic they didn’t see the script last week.
Also: “Childs said. “Based on the write-up, it sounds more like a privilege escalation than a security feature bypass” That is a messed up statement.
It may or may not be related to the MOTW “mark of the web” default popup “warning” being bypassed trivially on files downloaded from the internet. They’ve been seeing more of that, although if people are relying on MOTW to save them from malicious payloads that’s tragic comedy in the making. They could certainly add more than that single vague sentence to describe the protection feature being circumvented…
Reddit/r/Sysadmin is reporting that after Feb update KB5022842 is applied, Server 2022 servers running on VMware vSphere 7 will hang on second boot unless/until Secure Boot is disabled. Secure Boot is the default for Server 2022 on vSphere 7. VMWare’s current solution is to either disable secure boot (as many have discovered) or update to ESXi8 which does not exhibit this issue.
I’ve found ghacks.net to be a pretty good info source on Wupdates. YMMV…
ghacks.net/2023/02/14/microsoft-windows-security-updates-february-2023-overview/
W11Home update. Gaming laptop.
After update when starting Photoshop Elements (Ver. 16) it comes up immediately, but takes no commands for several minutes.
I updated my desktop and laptop, both on W10 22H2. Both restarted fine. No probs so far.
I say that it’s great to see Microsoft taking Valentine’s Day seriously by patching so many security holes in their software.
And it’s important for users to stay vigilant and keep their systems up to date to protect themselves from security threats.
This update works fine for me.
The same here.
Once again, the patches ignored the request to let me choose when to apply them because I have my network set to metered mode.