{"id":21705,"date":"2023-04-11T13:20:54","date_gmt":"2023-04-11T21:20:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/04\/11\/news-15436\/"},"modified":"2023-04-11T13:20:54","modified_gmt":"2023-04-11T21:20:54","slug":"news-15436","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/11\/news-15436\/","title":{"rendered":"April showers Windows updates on sysadmins"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Tue, 11 Apr 2023 18:34:37 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p><span data-contrast=\"auto\">Microsoft on Tuesday released patches for 98 vulnerabilities in ten product families, including 7 Critical-severity issues in Windows. As is the custom, the largest number of addressed vulnerabilities affect Windows, with 78 CVEs. Visual Studio follows with 5 CVEs; followed by Dynamics and SQL (3 each); Azure, Office, and Publisher (2 each); and Defender, .NET (counted separately from the Visual Studio patches), and SharePoint (one each).\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">At patch time, none of the issues this month has been publicly disclosed, and only one appears to be under exploit in the wild: CVE-2023-28252, an Important-severity elevation-of-privilege issue in Windows\u2019 Common Log File system driver. However, Microsoft cautions that ten of the Windows CVEs addressed are more likely to be exploited in the affected product soon (that is, within the next 30 days). Interestingly, eight of the ten flagged issues apply only to the latest version of Windows, not to earlier versions.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Two of those Windows issues also have a 9.8 CVSS base score (and an 8.5 temporal score), signaling to network administrators that they are worth prioritizing. CVE-2023-28231 (DHCP Server Service Remote Code Execution Vulnerability) and CVE-2023-21554 (Microsoft Message Queuing Remote Code Execution Vulnerability) are both Critical-severity RCEs submitted to Microsoft by external security researchers, and both are flagged by Microsoft as more likely to be exploited within the next 30 days. Another Critical-severity messaging issue, CVE-2023-28250 (Windows Pragmatic General Multicast [PGM] Remote Code Execution Vulnerability), also received a 9.8 CVSS score this month, though Microsoft considers exploitation of this issue less likely in the next 30 days.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">It\u2019s not a light <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/\">patch load<\/a>, but observers may find cheer in an interesting statistic: Our year-over-year numbers indicate that Microsoft is confronting far fewer elevation-of-privilege issues so far this year. As of today, Microsoft has patched 87 EoP issues; at this point last year, they\u2019d patched 125. (Overall year-to-year patch tallies are about even \u2013 359 patches in the first four months of 2022, 341 this year \u2013 with notable year-to-year increases in patches addressing spoofing or information-disclosure issues.)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h3>By the numbers<\/h3>\n<ul>\n<li>Total Microsoft CVEs: 98<\/li>\n<li>Total advisories shipping in update: 0<\/li>\n<li>Publicly disclosed: 0<\/li>\n<li>Exploited: 1<\/li>\n<li>Exploitation more likely in latest version: 9<\/li>\n<li>Exploitation more likely in older versions: 1<\/li>\n<li>Severity\n<ul>\n<li>Critical: 7<\/li>\n<li>Important: 91<\/li>\n<\/ul>\n<\/li>\n<li>Impact\n<ul>\n<li>Remote code execution: 45<\/li>\n<li>Elevation of privilege: 20<\/li>\n<li>Information disclosure: 10<\/li>\n<li>Denial of service: 9<\/li>\n<li>Security feature bypass: 7<\/li>\n<li>Spoofing: 6<\/li>\n<li>Tampering: 1<a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-01.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-90999\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-01-renamed-because-wp.png\" alt=\"\" width=\"640\" height=\"424\" \/><\/a><em>Figure 1: Remote code execution issues continue to dominate 2023\u2019s Patch Tuesdays<\/em><br \/> <br \/>\n<h4>Products<\/h4>\n<ul>\n<li>Windows: 78<\/li>\n<li>Visual Studio: 5 (exclusing .NET; see below)<\/li>\n<li>Dynamics: 3<\/li>\n<li>SQL: 3<\/li>\n<li>Azure: 2<\/li>\n<li>Office: 2<\/li>\n<li>Publisher: 2<\/li>\n<li>Defender: 1<\/li>\n<li>.NET: 1 (excluding Visual Studio; see above)<\/li>\n<li>SharePoint: 1<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-02.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-91000\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-02.png\" alt=\"\" width=\"640\" height=\"465\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-02.png 766w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-02.png?resize=300,218 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><i>Figure 2: Windows accounts for just under 80 percent of the patches released this month, and all of the Critical-severity issues.<br \/> <\/i><\/p>\n<p>Microsoft also makes mention in the April release of three Edge-related patches released separately, two applying only to Edge for Android; those patches are not reflected in this month\u2019s totals. Microsoft also issued information on 15 patches released today <a href=\"https:\/\/helpx.adobe.com\/security\/Home.html\">by Adobe<\/a> in support of their Adobe Reader product. None of the 15 are under active exploit in the wild.<\/p>\n<h3>Other notable April updates<\/h3>\n<p><b><span data-contrast=\"auto\">CVE-2023-28219 and CVE-2023-28220, both titled Layer 2 Tunneling Protocol Remote Code Execution Vulnerability<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Both updates address Critical-severity RCE issues with Microsoft\u2019s Layer 2 Tunnelling Protocol (L2TP), which supports VPNs and other crucial functions. In both cases, an attacker sending a specially crafted connection request to an RAS server could achieve RCE on the target machine. In both cases they\u2019d have to win a race condition to successfully take advantage, but since Microsoft\u2019s asserting that these two are more likely than not to be successfully exploited within the next 30 days, network administrators should take them seriously. However, Microsoft states that both bugs are less likely to be exploited on older versions of Windows, though the patch is available for all currently supported versions of the OS.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">CVE-2023-28249 and CVE-2023-28269, both titled Windows Boot Manager Security Feature Bypass Vulnerability<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">A pair of physical-layer issues \u2013 in other words, if the attacker has admin privileges <\/span><i><span data-contrast=\"auto\">or physical access<\/span><\/i><span data-contrast=\"auto\"> to a targeted machine, they can get around Secure Boot. This is possibly uninteresting in most situations, but could be very exciting indeed if, for instance, an executive\u2019s stolen laptop ended up in clever hands.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">CVE-2023-28251, Windows Driver Revocation List Tampering Vulnerability<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The year\u2019s first patch for a tampering issue, this Important-severity item arrives with little official information about what it\u2019s addressing beyond what the title says. On the basis of the information we have at this writing, it would appear to be related to the remedy to malicious signed drivers we <\/span><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/12\/13\/signed-driver-malware-moves-up-the-software-trust-chain\/\"><span data-contrast=\"none\">discussed<\/span><\/a><span data-contrast=\"auto\"> in December 2022.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">CVE-2023-24883, CVE-2023-28243, CVE-2023-24929, CVE-2023-24928, CVE-2023-24927, CVE-2023-24926, CVE-2023-24925, CVE-2023-24924, CVE-2023-24887, CVE-2023-24886, CVE-2023-24885, <\/span><\/b><span data-contrast=\"auto\">and<\/span><b><span data-contrast=\"auto\"> CVE-2023-24884, various titles<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Independent researcher kap0k\u2019s scrutiny of PostScript and PCL6-class printer drivers continues to bear fruit, with another 12 patches to their credit this month. These are apparently non-trivial finds, too; all are RCE, and all but one weigh in with a CVSS base score of 8.8.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-03-renamed-because-wp.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-91006\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-03-renamed-because-wp.png\" alt=\"\" width=\"640\" height=\"415\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-03-renamed-because-wp.png 845w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-03-renamed-because-wp.png?resize=300,195 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/figure-03-renamed-because-wp.png?resize=768,498 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><i><span data-contrast=\"auto\">Figure 3: April continued the 2023 trend toward a slowdown in Microsoft patches addressing elevation-of-privilege issues. By Patch Tuesday in April 2022, Microsoft had issued 125 EoP patches, as opposed to just 87 so far in 2023. (Remote code execution vulnerabilities are almost exactly keeping 2022\u2019s pace \u2013 133 as of April 2022, 137 as of April 2023.) Tampering makes its first 2023 appearance on the chart this month.<\/span><\/i><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h3><b><span data-contrast=\"auto\">Sophos protections<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h3>\n<p><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">As you can every month, if you don\u2019t want to wait for your system to pull down Microsoft\u2019s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you\u2019re running, then download the Cumulative Update package for your specific system\u2019s architecture and build number.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p>&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/04\/11\/april-showers-windows-updates-on-sysadmins\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/04\/shutterstock_1478781146.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Tue, 11 Apr 2023 18:34:37 +0000<\/strong><\/p>\n<p>A 98-CVE Patch Tuesday marks another big haul for the OS <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[29062,29063,29064,29065,129,29066,3245,19245,29067,28641,28133,16771,10525],"class_list":["post-21705","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-cve-2023-21554","tag-cve-2023-28231","tag-cve-2023-28250","tag-cve-2023-28252","tag-featured","tag-l2tp","tag-office","tag-patch-tuesday","tag-pcl5","tag-postscript","tag-signed-drivers","tag-threat-research","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21705"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21705\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21705"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}