The Microsoft February 2023 Security Updates includes patches and advisories for 79 vulnerabilities, including 9 Critical severity remote code execution issues and three zero-days exploited in the wild.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft monthly security updates fixes vulnerabilities in the following products, features and roles:
- .NET and Visual Studio
- .NET Framework
- 3D Builder
- Azure App Service
- Azure Data Box Gateway
- Azure DevOps
- Azure Machine Learning
- Internet Storage Name Service
- Microsoft Defender for Endpoint
- Microsoft Defender for IoT
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office OneNote
- Microsoft Office Publisher
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft PostScript Printer Driver
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Codecs Library
- Power BI
- SQL Server
- Visual Studio
- Windows Active Directory
- Windows ALPC
- Windows Common Log File System Driver
- Windows Cryptographic Services
- Windows Distributed File System (DFS)
- Windows Fax and Scan Service
- Windows HTTP.sys
- Windows Installer
- Windows iSCSI
- Windows Kerberos
- Windows MSHTML Platform
- Windows ODBC Driver
- Windows Protected EAP (PEAP)
- Windows SChannel
- Windows Win32K.
Readers can check out the February 2023 Security Updates and also download more vulnerability and patch details via Microsoft’s Security Update Guide.
Microsoft patched three zero day vulnerabilities exploited in the wild on February 14, 2023:
- CVE-2023-21715 (CVSS 7.3): Security Features Bypass Vulnerability in Microsoft Publisher (delivered with Microsoft 365 Apps for Enterprise) that lets an attacker bypass Office macro policies used to block untrusted or malicious files. Microsoft also mentioned an authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.
- CVE-2023-21823 (CVSS 7.8): Windows Graphics Component Remote Code Execution Vulnerability that affects Windows Graphic component used in various products such as Windows OS, Office desktop, and Mobile Apps. An attacker who successfully exploited this vulnerability could gain and execute code with SYSTEM privileges.
- CVE-2023-23376 (CVSS 7.8): Windows Common Log File System Driver Elevation of Privilege Vulnerability. An attacker who successfully exploited this vulnerability could gain and execute code with SYSTEM privileges.
Microsoft rated each of these zero-day vulnerabilities as “Important” and confirmed “exploitation detected” for each of them.
In addition, Microsoft patched the following nine Critical Remote Code Execution (RCE) vulnerabilities (along with CVSS score) on February 14, 2023:
- CVE-2023-21689: Microsoft Protected Extensible Authentication Protocol (PEAP) RCE Vulnerability (CVSS 9.8)
- CVE-2023-21690: Microsoft Protected Extensible Authentication Protocol (PEAP) RCE Vulnerability (CVSS 9.8)
- CVE-2023-21692: Microsoft Protected Extensible Authentication Protocol (PEAP) RCE Vulnerability (CVSS 9.8)
- CVE-2023-21716: Microsoft Word RCE Vulnerability (CVSS 9.8)
- CVE-2023-21718: Microsoft SQL ODBC Driver RCE Vulnerability (CVSS 7.8)
- CVE-2023-21803: Windows iSCSI Discovery Service RCE Vulnerability (CVSS 9.8)
- CVE-2023-21808: .NET and Visual Studio RCE Vulnerability (CVSS 8.4)
- CVE-2023-21815: Visual Studio RCE Vulnerability (CVSS 8.4)
- CVE-2023-23381: Visual Studio RCE Vulnerability (CVSS 8.4).
Microsoft warned each of the PEAP RCE vulnerabilities (CVE-2023-21689, CVE-2023-21690, and CVE-2023-21692) have a higher likelihood of being exploited.
The software giant further noted the other six RCEs are “Less Likely” of exploitation.
Moreover, Microsoft addressed 70 other vulnerabilities rated Important in multiple products on February 14, 2023. This includes the previously mentioned zero-days (CVE-2023-21715, CVE-2023-21823, and CVE-2023-23376).
The patched issues include Denial of Service (10), Elevation of Privilege (12), Information Disclosure (7), Remote Code Execution (31), Security Feature Bypass (8), and Spoofing (2) issues.
The Microsoft Security updates also addressed 16 Chrome vulnerabilities.
Finally, Adobe also released 9 advisories addressing 34 vulnerabilities (19 rated Critical) in the following products: Adobe After Effects (3 Critical), Adobe Connect (0 Critical), Adobe FrameMaker (3 Critical), Adobe Bridge (5 Critical), Adobe Photoshop (3 Critical), Adobe InDesign (0 Critical), Adobe Premier Rush (2 Critical), and Adobe Animate (3 Critical), and Adobe Substance 3D (0 Critical).
- Microsoft: RaaS attacks continue to evolve and expand
- CISA adds 2 Microsoft vulnerabilities to Known Exploited Vulnerabilities Catalog (to include 1 Windows zero-day)
- Microsoft January 2023 Security Updates addresses 98 vulnerabilities (11 rated Critical, 1 zero day)
- Microsoft report highlights Mac ransomware threats and techniques
- Apple Fixes Exploited Zero-Day Vulnerability (CVE-2023-23529) in IOS, Safari and macOS