[ad_1]
Microsoft is sending the world an entire bunch of affection as we speak, within the type of patches to plug dozens of safety holes in its Windows working methods and different software program. This 12 months’s particular Valentine’s Day Patch Tuesday consists of fixes for a whopping three completely different “zero-day” vulnerabilities which might be already being utilized in lively assaults.
Microsoft’s safety advisories are considerably sparse with particulars concerning the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability within the Windows Common Log File System Driver, which is current in Windows 10 and 11 methods, in addition to many server variations of Windows.
“Sadly, there’s just a little solid information about this privilege escalation,” mentioned Dustin Childs, head of menace consciousness at Trend Micro’s Zero Day Initiative. “Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with a remote code execution bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center, it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”
The zero-day CVE-2023-21715 is a weak point in Microsoft Office that Redmond describes as a “security feature bypass vulnerability.”
“Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be,” Childs mentioned. “Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.”
The third zero-day flaw already seeing exploitation is CVE-2023-21823, which is one other elevation of privilege weak point — this one within the Microsoft Windows Graphic part. Researchers at cybersecurity forensics agency Mandiant have been credited with reporting the bug.
Kevin Breen, director of cyber menace analysis at Immersive Labs, identified that the safety bulletin for CVE-2023-21823 particularly calls out OneNote as being a weak part for the vulnerability.
“In recent weeks, we have seen an increase in the use of OneNote files as part of targeted malware campaigns,” Breen mentioned. “Patches for this are delivered via the app stores and not through the typical formats, so it’s important to double check your organization’s policies.”
Microsoft mounted one other Office vulnerability in CVE-2023-21716, which is a Microsoft Word bug that may result in distant code execution — even when a booby-trapped Word doc is merely considered within the preview pane of Microsoft Outlook. This safety gap has a CVSS (severity) rating of 9.8 out of a potential 10.
Microsoft additionally has extra valentines for organizations that depend on Microsoft Exchange Server to deal with e mail. Redmond patched three Exchange Server flaws (CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529), all of which Microsoft says are distant code execution flaws which might be more likely to be exploited.
Microsoft mentioned authentication is required to use these bugs, however then once more menace teams that assault Exchange vulnerabilities additionally are inclined to phish targets for his or her Exchange credentials.
Microsoft isn’t alone in dropping fixes for scary, ill-described zero-day flaws. Apple on Feb. 13 launched an replace for iOS that resolves a zero-day vulnerability in Webkit, Apple’s open supply browser engine. Johannes Ullrich on the SANS Internet Storm Center notes that along with the WebKit downside, Apple mounted a privilege escalation problem. Both flaws are mounted in iOS 16.3.1.
“This privilege escalation issue could be used to escape the browser sandbox and gain full system access after executing code via the WebKit vulnerability,” Ullrich warned.
On a lighter be aware (hopefully), Microsoft drove the ultimate nail within the coffin for Internet Explorer 11 (IE11). According to Redmond, the out-of-support IE11 desktop software was completely disabled on sure variations of Windows 10 on February 14, 2023 by way of a Microsoft Edge replace.
“All remaining consumer and commercial devices that were not already redirected from IE11 to Microsoft Edge were redirected with the Microsoft Edge update. Users will be unable to reverse the change,” Microsoft defined. “Additionally, redirection from IE11 to Microsoft Edge will be included as part of all future Microsoft Edge updates. IE11 visual references, such as the IE11 icons on the Start Menu and taskbar, will be removed by the June 2023 Windows security update (“B” launch) scheduled for June 13, 2023.”
For a extra granular rundown on the updates launched as we speak, see the SANS Internet Storm Center roundup. If as we speak’s updates trigger any stability or usability points in Windows, AskWoody.com will doubtless have the lowdown on that.
Please take into account backing up your knowledge and/or imaging your system earlier than making use of any updates. And be happy to hold forth within the feedback in case you expertise any issues on account of these patches.