➠ The February 2023 Security Update Overview
Welcome to the second patch Tuesday of 2023. On this romantic holiday, Microsoft and Adobe have released their latest security patches as Valentine’s gifts for us all. Take a break from your regularly scheduled activities (or Pwn2Own Miami) and join us as we review the details of their latest security offerings.
Adobe Patches for February 2023
For February, Adobe released nine patches addressing 28 CVEs in Adobe Photoshop, Substance 3D Stager, Animate, InDesign, Bridge, FrameMaker, Connect, and After Effects. A total of 21 of these were reported by ZDI vulnerability researcher Mat Powell. Probably the most interesting fix is for PhotoShop. This patch fixes five bugs, three of which are rated Critical. An attacker could get arbitrary code execution if they can convince a user on an affected system to open a malicious file. This is the same scenario for Premier Rush, which corrects two Critical-rated code execution bugs. The Animate patch also fixes three similar code execution bugs. The fix for Adobe Bridge fixes five Critical-rated code execution bugs plus two memory leaks. After Effects also has a memory leak to go along with three code execution bugs. The patch for FrameMaker also contains a mix of code execution and memory leak fixes.
The patch for Adobe Connect fixes a security feature bypass bug, although Adobe doesn’t provide any further info on what’s being bypassed. The fix for InDesign corrects a denial of service caused by a NULL pointer deref. Finally, the fix for Adobe Substance 3D Stager doesn’t actually address any new CVEs. However, Adobe is updating third-party libraries used by the 3D modeling tool.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for February 2023
This month, Microsoft released 75 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; .NET Core and Visual Studio Code; 3D Builder and Print 3D; Microsoft Azure and Dynamics 365; Defender for IoT and the Malware Protection Engine; and Microsoft Edge (Chromium-based). This is in addition to Edge CVEs previously released this month plus some third-party fixes that are now being shipped for Microsoft products. A total of eight of these CVEs were submitted through the ZDI program.
Of the patches released today, nine are rated Critical and 66 are rated Important in severity. This volume is relatively typical for a February release. However, it is unusual to see half of the release address remote code execution (RCE) bugs.
None of the new CVEs released this month are listed as publicly known, but there are two bugs listed as being exploited in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:
- CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability
Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be. Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.
- CVE-2023-23376 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
This is the other bug under active attack in February, and sadly, there’s just a little solid information about this privilege escalation. Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with an RCE bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center (aka MSTIC), it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.
- CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability
Normally, Word bugs don’t attract too much attention – unless the Outlook Preview Pane is an attack vector, which is the case here. This CVSS 9.8 bug could be used by an attacker to get code execution at the level of the logged-on user without user interaction. When paired with a privilege escalation bug like the one mentioned above, an attacker could completely compromise a target. If you’re logged on as an admin, escalation isn’t needed, which is another reason why you shouldn’t be logged in as an admin for non-admin tasks.
- CVE-2023-21529 – Microsoft Exchange Server Remote Code Execution Vulnerability
There are multiple Exchange RCE bugs getting fixes this month, but this one reported by ZDI’s Piotr Bazydło stands out as it results from an incomplete fix in Exchange from last fall. While this vulnerability does require authentication, it allows any user with access to the Exchange PowerShell backend to take over an Exchange server. I know applying Exchange patches isn’t fun and usually requires weekend downtime, but these updates should still be considered a priority.
Here’s the full list of CVEs released by Microsoft for February 2023:
|CVE-2023-21715||Microsoft Office Security Feature Bypass Vulnerability||Important||7.3||No||Yes||SFB|
|CVE-2023-23376||Windows Common Log File System Driver Elevation of Privilege Vulnerability||Important||7.8||No||Yes||EoP|
|CVE-2023-21808||.NET and Visual Studio Remote Code Execution Vulnerability||Critical||8.4||No||No||RCE|
|CVE-2023-21689||Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2023-21690||Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2023-21692||Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2023-21718||Microsoft SQL ODBC Driver Remote Code Execution Vulnerability||Critical||7.8||No||No||RCE|
|CVE-2023-21716||Microsoft Word Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2023-23381||Visual Studio Code Remote Code Execution Vulnerability||Critical||8.4||No||No||RCE|
|CVE-2023-21815||Visual Studio Remote Code Execution Vulnerability||Critical||8.4||No||No||RCE|
|CVE-2023-21803||Windows iSCSI Discovery Service Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2023-21722||.NET Denial of Service Vulnerability||Important||4.7||No||No||DoS|
|CVE-2023-23377||3D Builder Remote Code Execution Vulnerability||Important||7.8||No||No||RCE|
|CVE-2023-23390||3D Builder Remote Code Execution Vulnerability||Important||7.8||No||No||RCE|
|CVE-2023-21777||Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability||Important||8.7||No||No||EoP|
|CVE-2023-21703||Azure Data Box Gateway Remote Code Execution vulnerability||Important||6.5||No||No||RCE|
|CVE-2023-21564||Azure DevOps Server Cross-Site Scripting Vulnerability||Important||7.1||No||No||XSS|
|CVE-2023-21553||Azure DevOps Server Remote Code Execution Vulnerability||Important||7.5||No||No||RCE|
|CVE-2023-23382||Azure Machine Learning Compute Instance Information Disclosure Vulnerability||Important||Unknown||No||No||Info|
|CVE-2023-21687||HTTP.sys Information Disclosure Vulnerability||Important||5.5||No||No||Info|
|CVE-2023-21809||Microsoft Defender for Endpoint Security Feature Bypass Vulnerability||Important||7.8||No||No||SFB|
|CVE-2023-23379||Microsoft Defender for IoT Elevation of Privilege Vulnerability||Important||6.4||No||No||EoP|
|CVE-2023-21807||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||5.8||No||No||XSS|
|CVE-2023-21570||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||5.4||No||No||XSS|
|CVE-2023-21571||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||5.4||No||No||XSS|
|CVE-2023-21572||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||6.5||No||No||XSS|
|CVE-2023-21573||Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability||Important||5.4||No||No||XSS|
|CVE-2023-21778||Microsoft Dynamics Unified Service Desk Remote Code Execution||Important||8.3||No||No||RCE|
|CVE-2023-21706||Microsoft Exchange Server Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21710||Microsoft Exchange Server Remote Code Execution Vulnerability||Important||7.2||No||No||RCE|
|CVE-2023-21707||Microsoft Exchange Server Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21529||Microsoft Exchange Server Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21704||Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability||Important||7.8||No||No||RCE|
|CVE-2023-21797||Microsoft ODBC Driver Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21798||Microsoft ODBC Driver Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21714||Microsoft Office Information Disclosure Vulnerability||Important||5.5||No||No||Info|
|CVE-2023-21721||Microsoft OneNote Spoofing Vulnerability||Important||6.5||No||No||Spoofing|
|CVE-2023-21693||Microsoft PostScript Printer Driver Information Disclosure||Important||5.7||No||No||Info|
|CVE-2023-21684||Microsoft PostScript Printer Driver Remote Code Execution||Important||8.8||No||No||RCE|
|CVE-2023-21801||Microsoft PostScript Printer Driver Remote Code Execution||Important||7.8||No||No||RCE|
|CVE-2023-21701||Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability||Important||7.5||No||No||DoS|
|CVE-2023-21691||Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability||Important||7.5||No||No||Info|
|CVE-2023-21695||Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability||Important||7.5||No||No||RCE|
|CVE-2023-21717||Microsoft SharePoint Server Elevation of Privilege Vulnerability||Important||8.8||No||No||EoP|
|CVE-2023-21568||Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability||Important||8||No||No||RCE|
|CVE-2023-21705||Microsoft SQL Server Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21713||Microsoft SQL Server Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21528||Microsoft SQL Server Remote Code Execution Vulnerability||Important||7.8||No||No||RCE|
|CVE-2023-21799||Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21685||Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21686||Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability||Important||8.8||No||No||RCE|
|CVE-2023-21688||NT OS Kernel Elevation of Privilege Vulnerability||Important||7.8||No||No||EoP|
|CVE-2023-21806||Power BI Report Server Spoofing Vulnerability||Important||8.2||No||No||Spoofing|
|CVE-2023-23378||Print 3D Remote Code Execution Vulnerability||Important||7.8||No||No||RCE|
|CVE-2023-21567||Visual Studio Denial of Service Vulnerability||Important||5.6||No||No||DoS|
|CVE-2023-21566||Visual Studio Installer Elevation of Privilege Vulnerability||Important||7.8||No||No||RCE|
|CVE-2023-21816||Windows Active Directory Domain Services API Denial of Service Vulnerability||Important||7.5||No||No||DoS|
|CVE-2023-21812||Windows Common Log File System Driver Elevation of Privilege Vulnerability||Important||7.8||No||No||EoP|
|CVE-2023-21820||Windows Distributed File System (DFS) Remote Code Execution Vulnerability||Important||7.4||No||No||RCE|
|CVE-2023-21694||Windows Fax Service Remote Code Execution Vulnerability||Important||6.8||No||No||RCE|
|CVE-2023-21823||Windows Graphics Component Elevation of Privilege Vulnerability||Important||7.8||No||No||EoP|
|CVE-2023-21804||Windows Graphics Component Elevation of Privilege Vulnerability||Important||7.8||No||No||EoP|
|CVE-2023-21822||Windows Graphics Component Elevation of Privilege Vulnerability||Important||7.8||No||No||EoP|
|CVE-2023-21800||Windows Installer Elevation of Privilege Vulnerability||Important||7.8||No||No||EoP|
|CVE-2023-21697||Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability||Important||6.2||No||No||Info|
|CVE-2023-21699||Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability||Important||5.3||No||No||Info|
|CVE-2023-21700||Windows iSCSI Discovery Service Denial of Service Vulnerability||Important||7.5||No||No||DoS|
|CVE-2023-21811||Windows iSCSI Service Denial of Service Vulnerability||Important||7.5||No||No||DoS|
|CVE-2023-21702||Windows iSCSI Service Denial of Service Vulnerability||Important||7.5||No||No||DoS|
|CVE-2023-21817||Windows Kerberos Elevation of Privilege Vulnerability||Important||7.8||No||No||EoP|
|CVE-2023-21802||Windows Media Remote Code Execution Vulnerability||Important||7.8||No||No||RCE|
|CVE-2023-21805||Windows MSHTML Platform Remote Code Execution Vulnerability||Important||7.8||No||No||RCE|
|CVE-2023-21813||Windows Secure Channel Denial of Service Vulnerability||Important||7.5||No||No||DoS|
|CVE-2023-21819||Windows Secure Channel Denial of Service Vulnerability||Important||7.5||No||No||DoS|
|CVE-2023-21818||Windows Secure Channel Denial of Service Vulnerability||Important||7.5||No||No||DoS|
|CVE-2019-15126 *||MITRE: CVE-2019-15126 Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device||Medium||3.1||No||No||Info|
* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.
Taking a look at the remaining Critical-rated patches, there are three CVSS 9.8 bugs in Microsoft’s Protected Extensible Authentication Protocol (PEAP), but it doesn’t appear this protocol is used much anymore. Of more concern is the CVSS 9.8 bug in the iSCSI Discovery Service. Datacenters with storage area networks (SANs) should definitely check with their vendors to see if their SAN is impacted by the RCE vulnerability. The bug in SQL would require someone to connect to a malicious SQL server via ODBC. That seems somewhat unlikely. However, you will need to review the bulletin closely to ensure you get the right fixes for your release of SQL Server. Finally, there are three fixes for Critical-rated .NET and Visual Studio bugs. These appear to be open-and-own bugs, but Microsoft provides no further details about these vulnerabilities.
Moving on to the other code execution bugs, the aforementioned Exchange fixes stand out the most. And while there are no Print Spooler bugs getting fixed this month, there are two bugs in the PostScript Printer Driver that could allow an authenticated attacker to take over a system sharing a printer. There are quite a few fixes for SQL Server. Exploiting these would require an affected system to connect to a malicious SQL Server – typically through ODBC. While that seems unlikely, I’m more concerned about the various servicing scenarios between all the available versions of SQL Server. There are two bugs in 3D Builder and one bug in Print 3D that were discovered by ZDI’s Mat Powell. These require fixes from the Microsoft Store, so follow the guidance here if these apps don’t automatically update. The bug in the MSHTML Platform came through the ZDI program. This specific flaw exists within the processing of certain image file types that can contain script tags. Under limited circumstances, crafted data in an image can lead to the execution of untrusted script. The bug in Windows Media was reported by ZDI’s Hossein Lotfi. In this case, the vulnerability resides within the handling of color conversion. It results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory.
The bug in Azure Data Box Gateway requires high privileges to exploit, but that’s not the case for Azure DevOps Server vulnerability. An attacker only needs to have only Run access to the pipeline. However, not every pipeline is vulnerable. Unfortunately, Microsoft doesn’t provide information on how to distinguish the affected and non-affected pipelines. The bug in Dynamics is interesting, too. While it does require authentication, an attacker might be able to call the target’s local files in the Resources directory and execute Windows commands that are outside of the Dynamics application. There are a couple of other mundane RCE bugs, but they do allow us to remind you the Fax Service is still a thing. The final RCE bug is the lone Moderate-rated bug this month for Edge (Chromium-based).
There’s a small amount of Elevation of Privilege (EoP) bugs receiving patches this month, and the majority of these require the attacker to execute their code on a target to escalate privileges – typically to SYSTEM. There are a couple of fixes that merit further discussion. The first is in the Azure App Service. While it does require authentication, a successful attack could allow the attacker to gain the ability to interact with other tenants’ applications and content. The bug in SharePoint requires two patches to resolve the vulnerability depending on your configuration. The fix for Defender for IoT requires a new version of the software to be installed through the management console.
In addition to the security feature bypass (SFB) under active attack, there’s an SFB fix for Defender for Endpoint worth mentioning. The bug allows the Attack Surface Reduction blocking feature to be bypassed when opening a malicious file.
Looking at the information disclosure bugs receiving fixes this month, all but one results in info leaks consisting of unspecified memory contents. The outlier is the bug in Azure Machine Learning Compute. This vulnerability could allow an attacker to recover cleartext passwords from error logs, which is generally classified as a Bad Thing™. This vulnerability was reported by Nitesh Surana of Project Nebula – a part of Trend Micro Research.
The February release fixes 10 different Denial-of-Service (DoS) bugs. For most of these, Microsoft provides no real detail about these bugs, so it isn’t clear if successful exploitation results in the service stopping or the system crashing. There is a bit of information about the DoS in Visual Studio. An authenticated attacker could use this vulnerability to replace one file with another when executing the Visual Studio installer.
Finally, there are six cross-site scripting (XSS) bugs in Dynamics 365 and Azure DevOps.
No advisories were released this month.
The next Patch Tuesday will be on March 14, and we’ll return with details and patch analysis then. Be sure to catch the live edition of the Patch Report webcast on our YouTube channel. I’ll be answering your questions about the release direct from Pwn2Own Miami. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!...
➤ Ähnliche Beiträge für 'The February 2023 Security Update Overview'
Azure Marketplace new offers–Volume 40 vom 983.35 Punkte
We continue to expand the Azure Marketplace ecosystem. For this volume, 212 new offers successfully met the onboarding criteria and went live. See details of the new offers below: Applications 2Care: 2CARE is a healthcare solution that easily captures t
CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 781.8 Punkte
Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're gett
The April 2023 Security Update Review vom 622.07 Punkte
It’s the second Tuesday of the month, which means Adobe and Microsoft (and others) have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Micros
The January 2023 Security Update Review vom 602.53 Punkte
Welcome to the first patch Tuesday of the new year. As expected, Adobe and Microsoft have released their latest fixes and updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.A
Build your own CMS using low-code vom 546.6 Punkte
In this tutorial, We will build CMS(Content Management System) using the ToolJet which is a lowcode application development platform. The CMS can be used to perform CRUD operations to the MongoDB which is used as the database for the NextJS application.
The February 2023 Security Update Overview vom 517.44 Punkte
Welcome to the second patch Tuesday of 2023. On this romantic holiday, Microsoft and Adobe have released their latest security patches as Valentine’s gifts for us all. Take a break from your regularly scheduled activities (or Pwn2Own Miami) and join us as we review the details of their latest security offerings.Adobe Patches for February
The March 2023 Security Update Review vom 497.2 Punkte
Happy Pi Day, and welcome to the third patch Tuesday of 2023 and the final patch Tuesday before Pwn2Own Vancouver. Take a break from your regularly scheduled activities and join us as we review the details of the latest security offerings from Microso
CentOS Blog: Releases/updates on Feb 1 vom 472.53 Punkte
On February 1st (last week) there were a large number of enhancements/updates released by the CentOS community: Errata and Enhancements Advisories We issued the following CEEA (CentOS Errata and Enhancements Advisories): CEEA-2019:0178 CentOS 7 libreswan Enhancement - http
CentOS Blog: CentOS Community newsletter, March 2020 (#2003) vom 429.44 Punkte
Dear CentOS enthusiast, For the past several months, the focus has been on FOSDEM, as usual this time of year. Now that FOSDEM is behind us, it's time to turn our attention to the upcoming Dojo at Facebook, and Red Hat Summit. We'd love to see you at one of thes
How to Fix a DPC Watchdog Violation in Windows 10 vom 400.9 Punkte
Blue Screen of Death (BSOD) makes an appearance on the computer while you are working on an important project. It not only hinders your workflow but also hogs time. They are not fun, especially when they are DPC Watchdog violations which can cause co
Reference: TaoSecurity Press vom 367.33 Punkte
I started appearing in media reports in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. As of 2017, Mr. Bejtlich generally declines press inquiries on cybersecurity m
The May 2023 Security Update Review vom 335.4 Punkte
It’s patch Tuesday once again, and Adobe and Microsoft have released their monthly batch of security updates. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe.