Cookie Consent by Free Privacy Policy Generator 📌 The February 2023 Security Update Overview

🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security



📚 The February 2023 Security Update Overview


💡 Newskategorie: Hacking
🔗 Quelle: thezdi.com

Welcome to the second patch Tuesday of 2023. On this romantic holiday, Microsoft and Adobe have released their latest security patches as Valentine’s gifts for us all. Take a break from your regularly scheduled activities (or Pwn2Own Miami) and join us as we review the details of their latest security offerings.

Adobe Patches for February 2023

For February, Adobe released nine patches addressing 28 CVEs in Adobe Photoshop, Substance 3D Stager, Animate, InDesign, Bridge, FrameMaker, Connect, and After Effects. A total of 21 of these were reported by ZDI vulnerability researcher Mat Powell. Probably the most interesting fix is for PhotoShop. This patch fixes five bugs, three of which are rated Critical. An attacker could get arbitrary code execution if they can convince a user on an affected system to open a malicious file. This is the same scenario for Premier Rush, which corrects two Critical-rated code execution bugs. The Animate patch also fixes three similar code execution bugs. The fix for Adobe Bridge fixes five Critical-rated code execution bugs plus two memory leaks. After Effects also has a memory leak to go along with three code execution bugs. The patch for FrameMaker also contains a mix of code execution and memory leak fixes.

The patch for Adobe Connect fixes a security feature bypass bug, although Adobe doesn’t provide any further info on what’s being bypassed. The fix for InDesign corrects a denial of service caused by a NULL pointer deref. Finally, the fix for Adobe Substance 3D Stager doesn’t actually address any new CVEs. However, Adobe is updating third-party libraries used by the 3D modeling tool.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2023

This month, Microsoft released 75 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; .NET Core and Visual Studio Code; 3D Builder and Print 3D; Microsoft Azure and Dynamics 365; Defender for IoT and the Malware Protection Engine; and Microsoft Edge (Chromium-based). This is in addition to Edge CVEs previously released this month plus some third-party fixes that are now being shipped for Microsoft products. A total of eight of these CVEs were submitted through the ZDI program.

Of the patches released today, nine are rated Critical and 66 are rated Important in severity. This volume is relatively typical for a February release. However, it is unusual to see half of the release address remote code execution (RCE) bugs.

None of the new CVEs released this month are listed as publicly known, but there are two bugs listed as being exploited in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability
Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be. Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.

-       CVE-2023-23376 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
This is the other bug under active attack in February, and sadly, there’s just a little solid information about this privilege escalation. Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with an RCE bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center (aka MSTIC), it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.

 -       CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability
Normally, Word bugs don’t attract too much attention – unless the Outlook Preview Pane is an attack vector, which is the case here. This CVSS 9.8 bug could be used by an attacker to get code execution at the level of the logged-on user without user interaction. When paired with a privilege escalation bug like the one mentioned above, an attacker could completely compromise a target. If you’re logged on as an admin, escalation isn’t needed, which is another reason why you shouldn’t be logged in as an admin for non-admin tasks.

-       CVE-2023-21529 – Microsoft Exchange Server Remote Code Execution Vulnerability
There are multiple Exchange RCE bugs getting fixes this month, but this one reported by ZDI’s Piotr Bazydło stands out as it results from an incomplete fix in Exchange from last fall. While this vulnerability does require authentication, it allows any user with access to the Exchange PowerShell backend to take over an Exchange server. I know applying Exchange patches isn’t fun and usually requires weekend downtime, but these updates should still be considered a priority.

Here’s the full list of CVEs released by Microsoft for February 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-21715 Microsoft Office Security Feature Bypass Vulnerability Important 7.3 No Yes SFB
CVE-2023-23376 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-21808 .NET and Visual Studio Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2023-21689 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-21690 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-21692 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-21718 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-21716 Microsoft Word Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-23381 Visual Studio Code Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2023-21815 Visual Studio Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2023-21803 Windows iSCSI Discovery Service Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-21722 .NET Denial of Service Vulnerability Important 4.7 No No DoS
CVE-2023-23377 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-23390 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-21777 Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability Important 8.7 No No EoP
CVE-2023-21703 Azure Data Box Gateway Remote Code Execution vulnerability Important 6.5 No No RCE
CVE-2023-21564 Azure DevOps Server Cross-Site Scripting Vulnerability Important 7.1 No No XSS
CVE-2023-21553 Azure DevOps Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2023-23382 Azure Machine Learning Compute Instance Information Disclosure Vulnerability Important Unknown No No Info
CVE-2023-21687 HTTP.sys Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-21809 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2023-23379 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 6.4 No No EoP
CVE-2023-21807 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.8 No No XSS
CVE-2023-21570 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2023-21571 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2023-21572 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.5 No No XSS
CVE-2023-21573 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2023-21778 Microsoft Dynamics Unified Service Desk Remote Code Execution Important 8.3 No No RCE
CVE-2023-21706 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21710 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-21707 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21529 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21704 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-21797 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21798 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21714 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-21721 Microsoft OneNote Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2023-21693 Microsoft PostScript Printer Driver Information Disclosure Important 5.7 No No Info
CVE-2023-21684 Microsoft PostScript Printer Driver Remote Code Execution Important 8.8 No No RCE
CVE-2023-21801 Microsoft PostScript Printer Driver Remote Code Execution Important 7.8 No No RCE
CVE-2023-21701 Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-21691 Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-21695 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2023-21717 Microsoft SharePoint Server Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-21568 Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-21705 Microsoft SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21713 Microsoft SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21528 Microsoft SQL Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-21799 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21685 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21686 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21688 NT OS Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21806 Power BI Report Server Spoofing Vulnerability Important 8.2 No No Spoofing
CVE-2023-23378 Print 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-21567 Visual Studio Denial of Service Vulnerability Important 5.6 No No DoS
CVE-2023-21566 Visual Studio Installer Elevation of Privilege Vulnerability Important 7.8 No No RCE
CVE-2023-21816 Windows Active Directory Domain Services API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-21812 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21820 Windows Distributed File System (DFS) Remote Code Execution Vulnerability Important 7.4 No No RCE
CVE-2023-21694 Windows Fax Service Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2023-21823 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21804 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21822 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21800 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21697 Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability Important 6.2 No No Info
CVE-2023-21699 Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-21700 Windows iSCSI Discovery Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-21811 Windows iSCSI Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-21702 Windows iSCSI Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-21817 Windows Kerberos Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21802 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-21805 Windows MSHTML Platform Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-21813 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-21819 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-21818 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2019-15126 * MITRE: CVE-2019-15126 Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device Medium 3.1 No No Info

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Taking a look at the remaining Critical-rated patches, there are three CVSS 9.8 bugs in Microsoft’s Protected Extensible Authentication Protocol (PEAP), but it doesn’t appear this protocol is used much anymore. Of more concern is the CVSS 9.8 bug in the iSCSI Discovery Service. Datacenters with storage area networks (SANs) should definitely check with their vendors to see if their SAN is impacted by the RCE vulnerability. The bug in SQL would require someone to connect to a malicious SQL server via ODBC. That seems somewhat unlikely. However, you will need to review the bulletin closely to ensure you get the right fixes for your release of SQL Server. Finally, there are three fixes for Critical-rated .NET and Visual Studio bugs. These appear to be open-and-own bugs, but Microsoft provides no further details about these vulnerabilities.

Moving on to the other code execution bugs, the aforementioned Exchange fixes stand out the most. And while there are no Print Spooler bugs getting fixed this month, there are two bugs in the PostScript Printer Driver that could allow an authenticated attacker to take over a system sharing a printer. There are quite a few fixes for SQL Server. Exploiting these would require an affected system to connect to a malicious SQL Server – typically through ODBC. While that seems unlikely, I’m more concerned about the various servicing scenarios between all the available versions of SQL Server. There are two bugs in 3D Builder and one bug in Print 3D that were discovered by ZDI’s Mat Powell. These require fixes from the Microsoft Store, so follow the guidance here if these apps don’t automatically update. The bug in the MSHTML Platform came through the ZDI program. This specific flaw exists within the processing of certain image file types that can contain script tags. Under limited circumstances, crafted data in an image can lead to the execution of untrusted script. The bug in Windows Media was reported by ZDI’s Hossein Lotfi. In this case, the vulnerability resides within the handling of color conversion. It results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory.

The bug in Azure Data Box Gateway requires high privileges to exploit, but that’s not the case for Azure DevOps Server vulnerability. An attacker only needs to have only Run access to the pipeline. However, not every pipeline is vulnerable. Unfortunately, Microsoft doesn’t provide information on how to distinguish the affected and non-affected pipelines. The bug in Dynamics is interesting, too. While it does require authentication, an attacker might be able to call the target’s local files in the Resources directory and execute Windows commands that are outside of the Dynamics application. There are a couple of other mundane RCE bugs, but they do allow us to remind you the Fax Service is still a thing. The final RCE bug is the lone Moderate-rated bug this month for Edge (Chromium-based).

There’s a small amount of Elevation of Privilege (EoP) bugs receiving patches this month, and the majority of these require the attacker to execute their code on a target to escalate privileges – typically to SYSTEM. There are a couple of fixes that merit further discussion. The first is in the Azure App Service. While it does require authentication, a successful attack could allow the attacker to gain the ability to interact with other tenants’ applications and content. The bug in SharePoint requires two patches to resolve the vulnerability depending on your configuration. The fix for Defender for IoT requires a new version of the software to be installed through the management console.

In addition to the security feature bypass (SFB) under active attack, there’s an SFB fix for Defender for Endpoint worth mentioning. The bug allows the Attack Surface Reduction blocking feature to be bypassed when opening a malicious file.

Looking at the information disclosure bugs receiving fixes this month, all but one results in info leaks consisting of unspecified memory contents. The outlier is the bug in Azure Machine Learning Compute. This vulnerability could allow an attacker to recover cleartext passwords from error logs, which is generally classified as a Bad Thing™. This vulnerability was reported by Nitesh Surana of Project Nebula – a part of Trend Micro Research.

The February release fixes 10 different Denial-of-Service (DoS) bugs. For most of these, Microsoft provides no real detail about these bugs, so it isn’t clear if successful exploitation results in the service stopping or the system crashing. There is a bit of information about the DoS in Visual Studio. An authenticated attacker could use this vulnerability to replace one file with another when executing the Visual Studio installer.

The spoofing bug in Power BI is rated as Important and could allow an attacker to modify the contents of a reports file. This could also result in running JavaScript running. There’s not much information about the OneNote spoofing bug, but note depending on the version of OneNote, you may need to access the Microsoft or Google Play store for the update.

Finally, there are six cross-site scripting (XSS) bugs in Dynamics 365 and Azure DevOps.

No advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on March 14, and we’ll return with details and patch analysis then. Be sure to catch the live edition of the Patch Report webcast on our YouTube channel. I’ll be answering your questions about the release direct from Pwn2Own Miami. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

...



📌 The February 2023 Security Update Overview


📈 29.33 Punkte

📌 Overview of Content Published In February


📈 21.9 Punkte

📌 Overview of Content Published In February


📈 21.9 Punkte

📌 Overview of Content Published In February


📈 21.9 Punkte

📌 Overview of Content Published In February


📈 21.9 Punkte

📌 Title: Overview of Content Published In February


📈 21.9 Punkte

📌 Title: Overview of Content Published In February


📈 21.9 Punkte

📌 Overview of Content Published in February


📈 21.9 Punkte

📌 Overview of Content Published in February


📈 21.9 Punkte

📌 Overview of Content Published in February


📈 21.9 Punkte

📌 February's Patch Tuesday (February 10, 2016)


📈 19.92 Punkte

📌 February's Patch Tuesday (February 10, 2016)


📈 19.92 Punkte

📌 Cyber Security Market study provides Worldwide Overview and Forecast by the year 2023


📈 16.86 Punkte

📌 OWASP Top 10: Security Misconfiguration Security Vulnerability Practical Overview


📈 15.77 Punkte

📌 Microsoft Edge's February 2023 update will disable Internet Explorer 11


📈 15.48 Punkte

📌 Microsoft rolling out February 2023 firmware update for Surface Pro 7


📈 15.48 Punkte

📌 February 2023 Surface Pro 7 firmware update is live, featuring speaker audio output fix


📈 15.48 Punkte

📌 Microsoft starts pushing February 2023 firmware update to Surface Pro 7+


📈 15.48 Punkte

📌 Microsoft pushes February 2023 firmware update to Surface Duo and Duo 2


📈 15.48 Punkte

📌 An Overview of India’s Digital Personal Data Protection Act (2023) | UpGuard


📈 14.94 Punkte

📌 Overview of IoT threats in 2023


📈 14.94 Punkte

📌 Learn Ethical hacking in 2023 (detailed overview)


📈 14.94 Punkte

📌 2023 MacBook Pro M3 Max: Performance Overview (video)


📈 14.94 Punkte

📌 Windows 11 April 2023 updates overview, everything you need to know


📈 14.94 Punkte

📌 Get the Windows February 2023 Patch Tuesday security updates


📈 14.88 Punkte

📌 SAP’s February 2023 Security Updates Patch High-Severity Vulnerabilities


📈 14.88 Punkte

📌 Latest Cyberthreats and Advisories – February 17, 2023 | IT Security News


📈 14.88 Punkte

📌 Latest Cyberthreats and Advisories – February 17, 2023 | IT Security News


📈 14.88 Punkte

📌 Update: pecheck.py Version 0.6.0 – Overview Of Resources


📈 14.45 Punkte

📌 Update: pecheck.py Version 0.6.0 – Overview Of Resources


📈 14.45 Punkte

📌 Update: pecheck.py Version 0.6.0 – Overview Of Resources


📈 14.45 Punkte

📌 Update: pecheck.py Version 0.6.0 – Overview Of Resources


📈 14.45 Punkte

📌 Gamma Text Editor - overview (Beta 0.0.2) - Progress update


📈 14.45 Punkte

📌 Thank you Mint team for this. Now we have better overview & control with flatpak update. Donation is on its way.


📈 14.45 Punkte

📌 The February 2019 Security Update Review


📈 14.39 Punkte











matomo