[Editor’s note: An earlier version of this article stated there were two exploited bugs patched this month. It has been updated to reflect the additional exploited vulnerability.]
Microsoft has released patches to fix 75 security bugs in the February 2023 Patch Tuesday release, including one each in Microsoft Office, Windows Common Log File System Driver and Windows Graphics Component that are being actively exploited, as well as a handful of Exchange remote code execution vulnerabilities.
The 75 fixed vulnerabilities is a much lower number than the 98 bugs Microsoft patched in its first security update release of the year in January, but there are still a handful that warrant closer inspection, testing and deployment.
According to analysis from Zero Day Initiative, Tenable, and other cybersecurity researchers, here are the February 2023 Patch Tuesday bugs IT admins should prioritize patching:
CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 and CVE-2023-21710 – Microsoft Exchange Server Remote Code Execution Vulnerabilities
There are multiple remote code execution Exchange bugs getting fixes this month. According to Tenable, CVE-2023-21710 received a CVSSv3 score of 7.2 while the other three CVEs were assigned CVSSv3 scores of 8.8. The vulnerabilities allow a remote attacker to execute arbitrary code on a vulnerable server, via a network call.
According to Tenable’s analysis, CVE-2023-21529, CVE-2023-21706 and CVE-2023-21707 are similar to CVE-2022-41082, an authenticated remote code execution bug that was publicly disclosed in September 2022 as part of ProxyNotShell.
Microsoft released mitigations in September 2022 to protect vulnerable servers until a patch was released in their November 2022 Patch Tuesday. A bypass of this mitigation, called OWASSRF (CVE-2022-41080), was then released in December 2022, per Tenable.
CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability
This bug is a security feature bypass in Microsoft Office, and it is one of the two bugs patched this month that are being actively exploited. However, exploitation requires a local, authenticated user to download and open an attacker-created file on a vulnerable system, so this requires some social engineering.
CVE-2023-23376 – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability
This is the other bug listed under active attack this month, and like it’s twin, there is little information about this vulnerability. According to Microsoft, the bug allows an attacker to exploit code as SYSTEM, which could lead to a complete system takeover. A remote code execution bug is likely being used in conjunction with this one to spread malware or ransomware. This is the third bug CLFS flaw patched in the last year, including one that was disclosed by the National Security Agency and CrowdStrike in April 2022. This one was discovered by Microsoft’s Threat Intelligence Center, which suggests use by a sophisticated threat actor.
CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability
This vulnerability gets a CVSS of 9.8, so IT admins should prioritize this Microsoft Word bug. The Outlook Preview Pane is an attack vector, and an attacker could use the bug to execute code at the level of the user without user interaction. It can be exploited by an unauthenticated attacker sending an email with a rich text format (RTF) payload, which allows for command execution if opened.
The Microsoft advisory for this vulnerability links to MS08-026 and KB922849 for guidance on how to prevent Microsoft Office from opening RTF documents from unknown or untrusted sources by using the Microsoft Office File Block policy, according to Tenable.
CVE-2023-21823 – Microsoft Windows Graphics Component Elevation of Privilege Vulnerability
This is EoP vulnerability in the Microsoft Windows Graphics Component gets a CVSSv3 score of 7.8 and was exploited in the wild as a zero day, according to Tenable. Exploitation of this flaw requires an attacker to log onto a vulnerable system and execute a specially crafted application. Successful exploitation would grant an attacker the ability to to run processes in an elevated context.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!