Patch Tuesday 02/2023 - Microsoft releases patches for three actively exploited Windows zero-day vulnerabilities

Patch Tuesday 02/23: Microsoft has released security updates for 75 vulnerabilities in its product portfolio for February 2023.

In total, 9 of the 75 vulnerabilities are classified as "critical" and 66 as "important". 37 of the 75 vulnerabilities are classified as Remote Code Execution (RCE). The following three zero-days(!) are already being actively exploited:

CVE-2023-21715 (CVSS rating: 7.3) - Vulnerability in Microsoft Office Security Feature Bypass.
CVE-2023-21823 (CVSS rating: 7.8) - Vulnerability in Windows Graphics Components due to elevation of privileges
CVE-2023-23376 (CVSS rating: 7.8) - Vulnerability in Windows Common Log File System (CLFS) driver due to elevation of privileges

CVE-2023-21715 a vulnerability that allows attackers to bypass a security feature in Microsoft Publisher, more specifically Office macro policies designed to block untrusted or malicious files.

"The attack itself is performed locally by a user who is authenticated to the target system. An authenticated attacker could exploit the vulnerability by using social engineering to trick a victim into downloading and opening a specially crafted file from a website, which could lead to a local attack on the victim's computer," Microsoft explained.

CVE-2023-21823 is a vulnerability in the Windows graphics component that could allow remote code execution and complete takeover of a vulnerable system.

"The Microsoft Store will automatically update affected customers," Microsoft said. Those who have automatic updates disabled should get them from the Microsoft Store (go to: Library > Get Updates > Update all).

Unfortunately, Microsoft has not disclosed details of the attacks that exploit these vulnerabilities.

CVE-2023-23376 is a vulnerability in the Windows Common Log File System that could allow attackers to gain SYSTEM privileges on a target host.

It is likely that the attack is combined with an RCE bug to spread malware or ransomware. Since this was discovered by the Microsoft Threat Intelligence Center (MSTIC), it could mean that advanced threat actors are already using it.

Recommended action:
We recommend that IT security managers immediately apply the security update provided by the manufacturer to permanently close the vulnerabilities.

Further information can also be found at: https://msrc.microsoft.com/update-guide/.