Microsoft has issued fixes for 3 zero-day bugs that attackers at the moment are actively exploiting within the wild.
One in every of them, tracked as CVE-2023-21715, is a safety function bypass vulnerability in Microsoft Workplace that offers attackers a technique to bypass Workplace macro insurance policies for blocking untrusted information and content material. The second is an elevation-of-privilege vulnerability in Home windows Widespread Log File System Driver (CVE-2023-23376), which permits an attacker to achieve system-level privileges. The third is CVE-2023-21823, a distant code execution (RCE) bug within the Home windows Graphics Element which additionally allows an attacker to achieve system-level entry.
The Zero-Day Trio
The three zero-day vulnerabilities have been a part of a considerably bigger set of 78 new CVEs that Microsoft disclosed in its month-to-month safety replace Tuesday. The corporate assessed 9 of those flaws as being of “crucial” severity and 66 as presenting an “essential” menace to organizations.
Almost half the vulnerabilities (38) that Microsoft disclosed this month have been distant code execution (RCE) bugs — a class of flaws that safety researchers contemplate particularly severe. Elevation-of-privilege bugs represented the subsequent highest class, adopted by denial-of-service flaws and spoofing vulnerabilities.
Dustin Childs, head of menace consciousness at Development Micro’s ZDI, which reported eight of the vulnerabilities on this month’s replace, says all of the bugs which can be below energetic assault symbolize a crucial danger as a result of menace actors are already utilizing them.
“The Graphics Element bug (CVE-2023-21823) makes me fear on two accounts,” he says. “Since this was discovered by Mandiant, it was doubtless found by a group working an incident response,” Childs says. Meaning it is unclear how lengthy menace actors may need been utilizing it. Additionally worrisome is that the replace is out there by means of the Microsoft retailer, he notes.
“People who find themselves both disconnected or in any other case blocked from the shop might want to manually apply the replace,” he says.
Childs says that primarily based on Microsoft’s description of CVE-2023-21715, the safety function bypass vulnerability in Microsoft Workplace sounds extra like an elevation-of-privilege subject. “It is all the time alarming when a safety function isn’t just bypassed however exploited. Let’s hope the repair comprehensively addresses the issue.”
In the end, all three bugs that attackers are actively exploiting are of concern. However a menace actor would nonetheless want to make use of every of those bugs together with some type of a code execution bug to take over a system, Childs says.
Automox recommends that organizations utilizing Microsoft 365 Functions for Enterprise patch CVE-2023-2175 inside 24 hours. “This vulnerability is an actively exploited zero-day that enables attackers to craft a file to bypass Workplace security measures,” Automox mentioned in a weblog submit. It permits attackers to “probably execute malicious code on end-user units if they’ll coerce customers to obtain and open information on susceptible units through social engineering.”
New Alternate Server Threats
Satnam Narang, senior employees analysis engineer at Tenable, highlighted three Microsoft Alternate Server vulnerabilities (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) as points that organizations ought to word as a result of Microsoft has recognized them as flaws that attackers usually tend to exploit.
“Over the previous few years, Microsoft Alternate Servers world wide have been pummeled by a number of vulnerabilities, from ProxyLogon to ProxyShell, to extra lately ProxyNotShell, OWASSRF and TabeShell,” Narang mentioned in an announcement.
Alternate flaws have change into useful commodities for traditional sponsored menace actors in recent times, he mentioned. “We strongly recommend organizations that depend on Microsoft Alternate Server to make sure they’ve utilized the newest Cumulative Updates for Alternate Server.”
RCE Bugs in Microsoft PEAP
Researchers at Cisco’s Talos menace intelligence group, in the meantime, pointed to three RCE bugs in Microsoft Protected Extensible Authentication Protocol (PEAP) as being among the many most crucial bugs in Microsoft’s safety replace for February 2023.
The issues, tracked as CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692, enable an authenticated attacker to try to set off malicious code within the context of the server’s account.
“Nearly all Home windows variations are susceptible, together with the newest Home windows 11,” the corporate mentioned in an announcement.
CVE-2023-21689 — one of many three crucial vulnerabilities in PEAP — permits attackers to get server accounts to set off malicious code through a community name, based on Automox.
“Since this vulnerability is very prone to be focused and is comparatively easy for attackers to use, we suggest patching or making certain that PEAP is just not configured as an allowed EAP kind in your community coverage,” the corporate mentioned in its submit. Affected organizations — those who have Home windows purchasers with Community Coverage Server operating and have a coverage that enables PEAP — ought to patch the flaw inside 72 hours, Automox suggested.
