Microsoft’s February Patch Tuesday brings fixes for 75 flaws, and among them are fixes for three vulnerabilities for which exploits already exist.
The three zero days affect Microsoft Publisher, the Windows Common Log File System Driver, and the Windows Graphics Component.
The Microsoft Publisher flaw, CVE-2023-21715, is a security feature bypass vulnerability with an “important” severity rating from Microsoft. An attacker could bypass Office macro policies used to block untrusted or malicious files. Normally, Office alerts users that a file is untrusted before allowing it to run.
The attacker could trick a target into opening a specially crafted file from a website. However, Microsoft notes the “attack itself is carried out locally by a user with authentication to the targeted system.” This affects Publisher delivered with Microsoft 365 Apps for Enterprise. The issue was reported by Hidetake Jo from Microsoft.
The Windows Common Log File System Driver is affected by an elevation of privilege vulnerability, CVE-2023-23376. Microsoft rates it as “important” and notes the bug can give an attacker System-level privileges. It was reported by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC).
The Windows Graphics Component flaw, CVE-2023-21823, is a remote code execution (RCE) vulnerability, but only has an “important” rating despite it being an RCE and the existence of mature exploit code.
Exploitation allows an attacker to gain System-level privileges. Microsoft doesn’t say how it can be exploited and, while the bug affects Windows, Microsoft notes that Windows apps will be updated via the Microsoft Store and that OneNote for Android can be updated via Google Play. The bug was reported by Mandiant researchers Dhanesh Kizhakkinan and Genwei Jiang.
There are fixes for nine critical bugs this month, all of which are remote code execution flaws, according to the Zero Day Initiative’s tally. These affect .NET and Visual Studio, Microsoft Protected Extensible Authentication Protocol, Microsoft SQL ODBC Driver, Microsoft Word, and the Windows iSCSI Discovery Service. There are 66 medium-severity flaws and one medium-severity flaw that affected several Wi-Fi devices with a fix now being integrated into Microsoft products.
Security firm Rapid7 notes that Microsoft has now started to include in its Patch Tuesday disclosures about flaws affecting CBL-Mariner, Microsoft’s own Linux OS distribution for Azure. Mariner is used by Microsoft internally and is in production with Xbox, Playful, Minecraft, and over 100 Azure services, including Azure Kubernetes Service.
Microsoft in January announced it was sharing CBL-Mariner CVEs in the Security Update Guide.
Admins still running Windows 8.1 should take note also of this Patch Tuesday as it was the first one since the end of the Windows 8.1 Extended Security Updates program.
“Admins responsible for Windows Server 2008 instances should note that ESU for Windows Server 2008 is now only available for instances hosted in Azure or on-premises instances hosted via Azure Stack. Instances of Windows Server 2008 hosted in a non-Azure context will no longer receive security updates, so will forever remain vulnerable to any new vulnerabilities, including the two zero-days covered above,” noted Rapid7’s Adam Barnett.