{"id":21237,"date":"2023-02-14T13:20:53","date_gmt":"2023-02-14T21:20:53","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/02\/14\/news-14969\/"},"modified":"2023-02-14T13:20:53","modified_gmt":"2023-02-14T21:20:53","slug":"news-14969","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/02\/14\/news-14969\/","title":{"rendered":"A diverse set of fixes in February\u2019s Patch Tuesday release"},"content":{"rendered":"<p><strong>Credit to Author: Matt Wixey| Date: Tue, 14 Feb 2023 19:23:22 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Microsoft on Tuesday released patches for 75 vulnerabilities in 12 Microsoft product families, including eight Critical-severity issues in the Protected Extensible Authentication Protocol (PEAP), the iSCSI Discovery Service, Office, and .NET and Visual Studio. As in previous months, the lion\u2019s share of the vulnerabilities affect Windows, with 32 fixes. Microsoft Dynamics 365 and .NET and Visual Studio have the next-largest collections, with six; followed by Office and Azure at five apiece.<\/p>\n<p>The remainder are spread out among a variety of product families, including Power BI, PostScript, OLE DB, MSSQL, and ODBC. 3D Builder also features again this month, although to a lesser extent: two remote code execution bugs this time, following on from January\u2019s 14.<\/p>\n<p>However, none of the issues this month have been publicly disclosed, and only two appear to have been exploited in the wild: CVE-2023-21715, an Important-grade Security Feature Bypass in Microsoft Office, and CVE-2023-23376, an Important-grade Elevation of Privilege bug in the Windows Common Log File System Driver.<\/p>\n<h4>By the numbers<\/h4>\n<ul>\n<li>Total Microsoft CVEs: 75<\/li>\n<li>Total advisories shipping in update: 0<\/li>\n<li>Publicly disclosed: 0<\/li>\n<li>Exploited: 2<\/li>\n<li>Exploitation more likely in latest version: 11<\/li>\n<li>Exploitation more likely in older versions: 3<\/li>\n<li>Severity\n<ul>\n<li>Critical: 8<\/li>\n<li>Important: 67<\/li>\n<\/ul>\n<\/li>\n<li>Impact\n<ul>\n<li>Remote Code Execution: 35<\/li>\n<li>Elevation of Privilege: 12<\/li>\n<li>Denial of Service: 10<\/li>\n<li>Information Disclosure: 8<\/li>\n<li>Spoofing: 8<\/li>\n<li>Security Feature Bypass: 2<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-sev-imp.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-89847\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-sev-imp.png\" alt=\"Bar chart showing severity and impact for February's patches; reiterates text.\" width=\"640\" height=\"418\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-sev-imp.png 855w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-sev-imp.png?resize=300,196 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-sev-imp.png?resize=768,502 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><em>Figure 1: Remote code execution vulnerabilities have a big outing in February, accounting for nearly half of all February patches<\/em><\/a><\/p>\n<h4>Products<\/h4>\n<ul>\n<li>Windows: 32<\/li>\n<li>.NET and Visual Studio: 6<\/li>\n<li>Dynamics: 6<\/li>\n<li>Office: 5<\/li>\n<li>Azure: 5<\/li>\n<li>ODBC: 4<\/li>\n<li>MSSQL: 4<\/li>\n<li>Exchange: 4<\/li>\n<li>PostScript: 3<\/li>\n<li>OLE DB: 3<\/li>\n<li>Defender: 2<\/li>\n<li>Power BI: 1<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-prods.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-89846\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-prods.png\" alt=\"Bar chart showing February's Patch Tuesday counts; reiterates article text.\" width=\"640\" height=\"445\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-prods.png 796w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-prods.png?resize=300,208 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-prods.png?resize=768,534 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><em>Figure 2: February&#8217;s patch set is unusually diverse, with twelve product families represented, but Windows still rules the roost<\/em><\/a><\/p>\n<h4><strong>Notable February updates<\/strong><\/h4>\n<p><strong>CVE-2023-21689; CVE-2023-21690; and CVE-2023-21692: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerabilities<\/strong><\/p>\n<p>Among the five PEAP-related vulnerabilities in this month\u2019s release are three Critical-severity remote code execution vulnerabilities, all with a CVSS BaseScore of 9.8. Exploiting CVE-2023-21690 and CVE-2023-21692 would entail crafting malicious PEAP packets and sending them to a targeted server. For all three bugs, the attack complexity is low, and no privileges or user interaction are required.<\/p>\n<p><strong>CVE-2023-21808; CVE-2023-21815; and CVE-2023-23381 .NET and Visual Studio\/Visual Studio Remote Code Execution Vulnerabilities<\/strong><\/p>\n<p>All three of these issues are Critical-severity bugs with low attack complexity, and they require no privileges or user interaction for exploitation. While the issue is categorized as Remote Code Execution, the attack itself is carried out locally. All three have a CVSS BaseScore of 8.4.<\/p>\n<p><strong>CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability<\/strong><\/p>\n<p>Another Critical-severity Remote Code Execution vulnerability, CVE-2023-21716 has a CVSS BaseScore of 9.8, with low attack complexity and no authentication required. To exploit this bug, an attacker could send a malicious email containing an RTF payload. The Preview Pane is an attack vector, suggesting that little or no user interaction would be required for successful exploitation. However, Microsoft rate exploitation as less likely to occur for this vulnerability. Microsoft advise that the Microsoft Office File Block policy is a workaround for this issue and will prevent Office from opening RTF documents from unknown or untrusted sources. For example, in Office 2016, this would involve setting the RtfFiles DWORD value to 2 and the OpenInProtectedView DWORD value to 0 in the subkey: HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0WordSecurityFileBlock. However, users should bear in mind that directly editing the Registry comes with risks.<\/p>\n<p><strong>CVE-2023-21809: Microsoft Defender for Endpoint Security Feature Bypass Vulnerability<\/strong><\/p>\n<p>A vulnerability which may be particularly attractive to threat actors, CVE-2023-21809 is an Important-rated Security Feature Bypass vulnerability. If successfully exploited, an attacker may be able to bypass the Windows Defender Attack Surface Reduction (ASR) blocking feature. However, to exploit it, an attacker would need to trick a user into running malicious files.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-cumulative.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-89845\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-cumulative.png\" alt=\"Bar chart showing cumulative totals for 2023 Microsoft patches; remote code execution accounts for the highest percentage of patches so far this year.\" width=\"640\" height=\"410\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-cumulative.png 875w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-cumulative.png?resize=300,192 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/230213-cumulative.png?resize=768,492 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><em>Figure 3: RCE issues account for a third of all 2023 Microsoft patches so far, with elevation of privileges issues addressed in another quarter of the patches released<\/em><\/a><\/p>\n<h4><strong>Sophos protections<\/strong><\/h4>\n<p>&nbsp;<\/p>\n<p>As you can every month, if you don\u2019t want to wait for your system to pull down Microsoft\u2019s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you\u2019re running, then download the Cumulative Update package for your particular system\u2019s architecture and build number.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/02\/14\/a-diverse-set-of-fixes-in-februarys-patch-tuesday-release\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/shutterstock_149562527.jpg\"\/><\/p>\n<p><strong>Credit to Author: Matt Wixey| Date: Tue, 14 Feb 2023 19:23:22 +0000<\/strong><\/p>\n<p>Patches for Power BI, PEAP, PostScript, Exchange, and 3D Builder<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[28339,13617,28630,28631,28632,28624,28625,28633,28634,28635,28636,28626,28627,28637,28638,15616,10516,10909,28639,12147,26100,19245,28640,28641,27030,16771,23687,10525],"class_list":["post-21237","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-3d-builder","tag-azure","tag-cve-2023-21689","tag-cve-2023-21690","tag-cve-2023-21692","tag-cve-2023-21715","tag-cve-2023-21716","tag-cve-2023-21808","tag-cve-2023-21809","tag-cve-2023-21812","tag-cve-2023-21815","tag-cve-2023-21823","tag-cve-2023-23376","tag-cve-2023-23381","tag-dynamics","tag-exchange","tag-microsoft","tag-microsoft-office","tag-microsoft-windows-defender","tag-mssql","tag-odbc","tag-patch-tuesday","tag-peap","tag-postscript","tag-sophos-x-ops","tag-threat-research","tag-visual-studio","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21237"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21237\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21237"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}