78 new CVEs patched in this month's batch — nearly half of which are remotely executable and three of which attackers already are exploiting.

4 Min Read
concept image showing software being updated
Source: Miha Creative via Shutterstock

Microsoft has issued fixes for three zero-day bugs that attackers currently are actively exploiting in the wild.

One of them, tracked as CVE-2023-21715, is a security feature bypass vulnerability in Microsoft Office that gives attackers a way to bypass Office macro policies for blocking untrusted files and content. The second is an elevation-of-privilege vulnerability in Windows Common Log File System Driver (CVE-2023-23376), which allows an attacker to gain system-level privileges. The third is CVE-2023-21823, a remote code execution (RCE) bug in the Windows Graphics Component which also enables an attacker to gain system-level access.

The Zero-Day Trio

The three zero-day vulnerabilities were part of a substantially larger set of 78 new CVEs that Microsoft disclosed in its monthly security update Tuesday. The company assessed nine of these flaws as being of "critical" severity and 66 as presenting an "important" threat to organizations.

Nearly half the vulnerabilities (38) that Microsoft disclosed this month were remote code execution (RCE) bugs — a category of flaws that security researchers consider especially serious. Elevation-of-privilege bugs represented the next highest category, followed by denial-of-service flaws and spoofing vulnerabilities.

Dustin Childs, head of threat awareness at Trend Micro's ZDI, which reported eight of the vulnerabilities in this month's update, says all the bugs that are under active attack represent a critical risk because threat actors are already using them.

"The Graphics Component bug (CVE-2023-21823) makes me worry on two accounts," he says. "Since this was found by Mandiant, it was likely discovered by a team working an incident response," Childs says. That means it's unclear how long threat actors might have been using it. Also worrisome is that the update is available through the Microsoft store, he notes.

"People who are either disconnected or otherwise blocked from the store will need to manually apply the update," he says.

Childs says that based on Microsoft's description of CVE-2023-21715, the security feature bypass vulnerability in Microsoft Office sounds more like an elevation-of-privilege issue. "It's always alarming when a security feature is not just bypassed but exploited. Let's hope the fix comprehensively addresses the problem."

Ultimately, all three bugs that attackers are actively exploiting are of concern. But a threat actor would still need to use each of these bugs in combination with some form of a code execution bug to take over a system, Childs says.

Automox recommends that organizations using Microsoft 365 Applications for Enterprise patch CVE-2023-2175 within 24 hours. "This vulnerability is an actively exploited zero-day that allows attackers to craft a file to bypass Office security features," Automox said in a blog post. It allows attackers to "potentially execute malicious code on end-user devices if they can coerce users to download and open files on vulnerable devices via social engineering."

New Exchange Server Threats

Satnam Narang, senior staff research engineer at Tenable, highlighted three Microsoft Exchange Server vulnerabilities (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) as issues that organizations should note because Microsoft has identified them as flaws that attackers are more likely to exploit.

"Over the last few years, Microsoft Exchange Servers around the world have been pummeled by multiple vulnerabilities, from ProxyLogon to ProxyShell, to more recently ProxyNotShell, OWASSRF and TabeShell," Narang said in a statement.

Exchange flaws have become valuable commodities for standard sponsored threat actors in recent years, he said. "We strongly suggest organizations that rely on Microsoft Exchange Server to ensure they've applied the latest Cumulative Updates for Exchange Server."

RCE Bugs in Microsoft PEAP

Researchers at Cisco's Talos threat intelligence group, meanwhile, pointed to three RCE bugs in Microsoft Protected Extensible Authentication Protocol (PEAP) as being among the most critical bugs in Microsoft's security update for February 2023.

The flaws, tracked as CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692, allow an authenticated attacker to try and trigger malicious code in the context of the server's account.

"Almost all Windows versions are vulnerable, including the latest Windows 11," the company said in a statement.

CVE-2023-21689 — one of the three critical vulnerabilities in PEAP — allows attackers to get server accounts to trigger malicious code via a network call, according to Automox.

"Since this vulnerability is very likely to be targeted and is relatively simple for attackers to exploit, we recommend patching or ensuring that PEAP is not configured as an allowed EAP type in your network policy," the company said in its post. Affected organizations — those that have Windows clients with Network Policy Server running and have a policy that allows PEAP — should patch the flaw within 72 hours, Automox advised.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights