Patch Tuesday February 2023 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Welcome to this month’s Patch Tuesday release, and Happy Valentine’s Day to all! While today may be filled with expressions of love and affection, we’re here to ensure that your devices remain secure and protected from potential vulnerabilities. As always, this month’s release includes a set of important security updates for Microsoft products to keep your systems up to date and safeguard against any potential threats. So, let’s take a moment to show some love for our devices and prioritize their security by installing this month’s patches.
For even more information, please watch the recorded February 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday page.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Microsoft Exchange Server Remote Code Execution Vulnerability
- Microsoft Word Remote Code Execution Vulnerability
- Windows Common Log File System Driver Elevation of Privilege Vulnerability
- Windows Graphics Component Remote Code Execution Vulnerability
- Third-party application vulnerabilities:
The February Patch Tuesday from Microsoft brings us 75 fixed vulnerabilities, which is a lower number than in January. The amount of critical updates has also decreased to 6 fixes from 11 in January. Additionally, Microsoft released fixes for three zero-day vulnerabilities.
Here are details on the most interesting critical updates.
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft has addressed a new vulnerability, CVE-2023-21529, affecting all Exchange server versions starting from Microsoft Exchange 2013. While these types of vulnerabilities are a common occurrence, this one is particularly concerning due to its high CVSS risk score of 8.8 and Microsoft’s confirmation that it is more likely to be exploited in the wild. The vulnerability requires low privileges and no user interaction and uses the network vector.
However, exploitation of the vulnerability requires authentication. Attackers could potentially target server accounts to execute remote code or trigger malicious code in the context of the server’s account via a network call. The proof of concept for the vulnerability has not been publicly disclosed.
The recommended mitigation is to install the update from Microsoft on all systems, but it is advised to first install the update in a test environment to ensure compatibility.
Microsoft Word Remote Code Execution Vulnerability
The newly discovered vulnerability in Microsoft Word, designated as CVE-2023-21716, poses a significant risk with a CVSS score of 9.8. It is part of the Follina family of vulnerabilities and can be exploited through the Preview Pane or by sending a malicious email containing an RTF payload.
This vulnerability is relatively simple to exploit, uses network vectors, and requires no privileges or user interaction. All versions of Microsoft Word are affected by this issue.
To mitigate the risk, Microsoft has provided a workaround, MS08-026, which shows how to prevent Microsoft Word from loading RTF files. It is recommended to install the updates from Microsoft on all systems running Microsoft Office, but only after thoroughly testing the update in a separate environment.
Windows Common Log File System Driver Elevation of Privilege Vulnerability
The latest Zero Day vulnerability, designated as CVE-2023-23376, targets the Windows Common Log File System Driver. This vulnerability is relatively simple to exploit and utilizes local vectors, requiring only low levels of access and no user interaction. All Windows operating systems starting from Windows 7 are vulnerable to this issue and carry a high risk score of 7.8 according to CVSS. Microsoft has confirmed that the vulnerability is currently being exploited in the wild, but the proof of concept has not yet been made public.
Should an attacker successfully exploit this vulnerability, they could escalate their privileges to SYSTEM level, making it another weapon in their arsenal for privilege escalation on target endpoints. It is important to install the necessary updates to protect your system from this threat.
Windows Graphics Component Remote Code Execution Vulnerability
Another security flaw, referred to as the Zero Day vulnerability CVE-2023-21823, shares similarities with previous vulnerabilities but targets a different component – the Windows Graphics system. This vulnerability is relatively simple to exploit, utilizes local vectors, and requires low levels of access, with no need for user interaction. All Windows operating systems starting from Windows 7 are vulnerable to this issue, and it carries a high risk score of 7.8 according to CVSS. Microsoft has confirmed that the vulnerability is currently being exploited in the wild, but the proof of concept has not yet been made public.
Should an attacker successfully exploit this vulnerability, they could escalate their privileges to SYSTEM level. As such, it is crucial to install the necessary updates as soon as possible.
Google has released another security update for Chrome 109, fixing six security vulnerabilities. Four of these were reported by external researchers. Among these, two were particularly serious, known as “use after free” bugs in the WebTransport and WebRTC components, and were assigned the CVE numbers 2023-0471 and 2023-0472, respectively. These types of bugs in Chrome can potentially result in Remote Code Execution and sandbox escapes, though usually in combination with other vulnerabilities.
Additionally, the update also addressed a medium-severity bug (CVE-2023-0473) related to the ServiceWorker Application Programming Interface (API). Another similar level use after free bug (CVE-2023-0474) was fixed in the GuestView component.
Google has stated that none of these vulnerabilities have been actively exploited in the real world, however, they acknowledge that this does not necessarily mean that they have not been exploited. The company has been transparent about the increasing trend of attackers exploiting vulnerabilities in Chrome, which they acknowledged again last year.
Google has released an updated version of Chrome 110 (110.0.5481.77/.78 for Windows and 110.0.5481.77 for Mac and Linux) that includes a batch of 15 security vulnerabilities that have been fixed.
Among these, three were high-severity vulnerabilities that affected the V8 engine, full-screen implementation, and WebRTC. The first of these, CVE-2023-0696, is described as a heap corruption vulnerability that can be exploited remotely through a crafted HTML page. The second, CVE-2023-0697, affects Chrome for Android and could allow a remote attacker to spoof the contents of the security UI through a crafted HTML page. The third, CVE-2023-0698, could be exploited remotely to perform off-memory reads through an HTML page.
The update also fixed five medium-severity vulnerabilities, including a use-after-free bug in the GPU, improper implementation issues in the download, a heap buffer overflow in the web interface, and two type confusion bugs in the data transfer and developer tools.
Google has not mentioned any instances of these vulnerabilities being used in attacks.
Firefox 109 has addressed 21 security vulnerabilities, with 15 of them deemed as dangerous. 13 of these dangerous vulnerabilities, identified under the CVE numbers 2023-23605 and 2023-23606, stem from memory issues such as buffer overflows and accessing protected memory areas. This could potentially allow an attacker to execute code by opening maliciously crafted pages.
Another vulnerability, CVE-2023-23597, is caused by a logical error in the code responsible for creating new child processes and could allow attackers to read arbitrary files by starting a new process in the file:// context.
Meanwhile, vulnerability CVE-2023-23598, resulting from an error in the drag-and-drop handling in the GTK wrapper, could allow attackers to read the contents of arbitrary files through a call to the DataTransfer.setData method.
OpenSSL has undergone an update to address several security vulnerabilities, including a critical bug in the Open Source Encryption Toolkit. The bug, designated CVE-2023-0286, stems from a type confusion caused by handling X.400 addresses within the X.509 GeneralName. This can result in unintended program behavior and potentially lead to crashes or RCEs.
The vulnerability has been fixed in OpenSSL versions 3.0.8, 1.1.1t, and 1.0.2zg.
In addition to the critical vulnerability, the following bugs have also been addressed in recent updates:
- CVE-2022-4203 (buffer overflow),
- CVE-2022-4304 (Oracle synchronization in RSA decryption),
- CVE-2022-4450 (use after PEM_read_bio_ex call),
- CVE-2023-0215 (use after release after BIO_new_NDEF),
- CVE-2023-0216 (invalid pointer dereferencing in d2i_PKCS7 functions),
- CVE-2023-0217 and CVE-2023-0401 (NULL dereferencing of DSA public key or PKCS7 data).
Exploitation of these vulnerabilities could result in application failure, memory disclosure, and even the recovery of unencrypted messages sent over the network through a time-based side-channel attack in the Bleichenbacher style.
A severe vulnerability in Jira Service Management Server and Data Center has been discovered that allows attackers to pose as Jira users. The authentication flaw gives the attacker access to a Jira Service Management instance and the ability to impersonate another user under specific conditions. If the Jira Service Management has write access to the user directory and email is connected, an attacker can gain access to login tokens sent to users with accounts that have never logged in.
This vulnerability can be exploited in two ways:
- By the attacker being included in Jira tasks or requests with these users, or
- By accessing emails containing a “view request” link from these users.
This vulnerability, with a CVSS score of 9.4, is tracked as CVE-2023-22501 and affects Jira Service Management Server and Data Center versions 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0.
According to Atlassian, bot accounts are the primary targets of these attacks. However, external client accounts on single sign-on instances can also be compromised if account creation is open to all. The fixes for this vulnerability have been included in Jira Service Management Server and Data Center versions 5.3.3, 5.4.2, 5.5.1, and 5.6.0, and users are encouraged to update their Jira instances as soon as possible.
Oracle has released its first critical update of 2023, comprising of 327 security fixes, with over 70 of them addressing critical vulnerabilities and nearly 200 fixes addressing remotely exploitable bugs without authentication. Some of the fixes affect multiple Oracle products.
The largest number of fixes were issued for Oracle Communications, with 79 patches, out of which 63 can be exploited remotely without authentication and 19 are rated critical in severity. The update also includes 50 security fixes for the Fusion software, where 39 bugs can be exploited remotely by an unauthenticated attacker and 14 of them are critical.
Other software that received patches include communication applications with 39 patches, 31 of which address remotely exploitable issues without authentication, and MySQL with 37 patches, 8 of which address remotely exploitable flaws. Financial services applications, E-Business Suite, PeopleSoft, Database Server, utility applications, construction and engineering, food and beverage manufacturing, support tools, and virtualization also received updates.
Additionally, updates were made for Essbase, GoldenGate, TimesTen In-Memory, Commerce, Enterprise Manager, Hyperion, Java SE, JD Edwards, Siebel CRM, medical and healthcare, hospitality, insurance, and retail applications. Oracle also announced that third-party fixes are available for products such as Big Data Graph, Global Lifecycle Management, Graph Server and Client, and Spatial Studio, even though no new patches were released for them.
Oracle highly recommends customers to install the available patches as soon as possible, as it is aware of attempts by attackers to exploit unpatched problems for which patches are available.
Apple has issued updates to address multiple significant security vulnerabilities on its iOS and macOS platforms. The most critical of these vulnerabilities impact WebKit, which could result in code execution attacks through malicious web content.
For mobile devices, Apple released iOS 16.3 and iPadOS 16.3 to address more than a dozen documented security issues across various OS components, including three WebKit rendering engine bugs that pose a risk of Remote Code Execution (RCE). The updates also fix privacy and data disclosure vulnerabilities in various other components, such as AppleMobileFileIntegrity, ImageIO, Kernel, Maps, Safari, Screen Time, and Weather.
Apple has closed around 25 vulnerabilities, some of which are severe enough to allow code execution attacks. The WebKit issues also affect users of Apple’s macOS Ventura, Monterey, and Big Sur operating systems. The company has also addressed an actively exploited 0-day in iOS, which could be remotely triggered on older iPhones and iPads.
One particular vulnerability, CVE-2022-42856, causes a lack of type confusion in the Apple Webkit web browser engine and enables malicious websites to execute arbitrary code and potentially gain access to sensitive information on vulnerable devices. Once executed, attackers can run commands in the underlying OS, install additional malware or spyware, or take other actions.
Apple has acknowledged reports of the vulnerability being actively exploited, but did not provide further details in a published bulletin.
The iOS 16.3 update also introduces support for hardware security keys, providing enhanced protection against phishing attacks and device tampering. Apple has also fixed numerous other security flaws in Safari, as well as its latest versions for macOS, iOS, and watchOS.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.