Microsoft
has
issued
fixes
for
three
zero-day
bugs
that
attackers
currently
are
actively
exploiting
in
the
wild.
One
of
them,
tracked
as
CVE-2023-21715,
is
a
security
feature
bypass
vulnerability
in
Microsoft
Office
that
gives
attackers
a
way
to
bypass
Office
macro
policies
for
blocking
untrusted
files
and
content.
The
second
is
an
elevation-of-privilege
vulnerability
in
Windows
Common
Log
File
System
Driver
(CVE-2023-23376),
which
allows
an
attacker
to
gain
system-level
privileges.
The
third
is
CVE-2023-21823,
a
remote
code
execution
(RCE)
bug
in
the
Windows
Graphics
Component
which
also
enables
an
attacker
to
gain
system-level
access.
The
Zero-Day
Trio
The
three
zero-day
vulnerabilities
were
part
of
a
substantially
larger
set
of
78
new
CVEs
that
Microsoft
disclosed
in
its
monthly
security
update
Tuesday.
The
company
assessed
nine
of
these
flaws
as
being
of
“critical”
severity
and
66
as
presenting
an
“important”
threat
to
organizations.
Nearly
half
the
vulnerabilities
(38)
that
Microsoft
disclosed
this
month
were
remote
code
execution
(RCE)
bugs
—
a
category
of
flaws
that
security
researchers
consider
especially
serious.
Elevation-of-privilege
bugs
represented
the
next
highest
category,
followed
by
denial-of-service
flaws
and
spoofing
vulnerabilities.
Dustin
Childs,
head
of
threat
awareness
at
Trend
Micro’s
ZDI,
which
reported
eight
of
the
vulnerabilities
in
this
month’s
update,
says
all
the
bugs
that
are
under
active
attack
represent
a
critical
risk
because
threat
actors
are
already
using
them.
“The
Graphics
Component
bug
(CVE-2023-21823)
makes
me
worry
on
two
accounts,”
he
says.
“Since
this
was
found
by
Mandiant,
it
was
likely
discovered
by
a
team
working
an
incident
response,”
Childs
says.
That
means
it’s
unclear
how
long
threat
actors
might
have
been
using
it.
Also
worrisome
is
that
the
update
is
available
through
the
Microsoft
store,
he
notes.
“People
who
are
either
disconnected
or
otherwise
blocked
from
the
store
will
need
to
manually
apply
the
update,”
he
says.
Childs
says
that
based
on
Microsoft’s
description
of
CVE-2023-21715,
the
security
feature
bypass
vulnerability
in
Microsoft
Office
sounds
more
like
an
elevation-of-privilege
issue.
“It’s
always
alarming
when
a
security
feature
is
not
just
bypassed
but
exploited.
Let’s
hope
the
fix
comprehensively
addresses
the
problem.”
Ultimately,
all
three
bugs
that
attackers
are
actively
exploiting
are
of
concern.
But
a
threat
actor
would
still
need
to
use
each
of
these
bugs
in
combination
with
some
form
of
a
code
execution
bug
to
take
over
a
system,
Childs
says.
Automox
recommends
that
organizations
using
Microsoft
365
Applications
for
Enterprise
patch
CVE-2023-2175
within
24
hours.
“This
vulnerability
is
an
actively
exploited
zero-day
that
allows
attackers
to
craft
a
file
to
bypass
Office
security
features,”
Automox
said
in
a
blog
post.
It
allows
attackers
to
“potentially
execute
malicious
code
on
end-user
devices
if
they
can
coerce
users
to
download
and
open
files
on
vulnerable
devices
via
social
engineering.”
New
Exchange
Server
Threats
Satnam
Narang,
senior
staff
research
engineer
at
Tenable,
highlighted
three
Microsoft
Exchange
Server
vulnerabilities
(CVE-2023-21706,
CVE-2023-21707,
CVE-2023-21529)
as
issues
that
organizations
should
note
because
Microsoft
has
identified
them
as
flaws
that
attackers
are
more
likely
to
exploit.
“Over
the
last
few
years,
Microsoft
Exchange
Servers
around
the
world
have
been
pummeled
by
multiple
vulnerabilities,
from
ProxyLogon
to
ProxyShell,
to
more
recently
ProxyNotShell,
OWASSRF
and
TabeShell,”
Narang
said
in
a
statement.
Exchange
flaws
have
become
valuable
commodities
for
standard
sponsored
threat
actors
in
recent
years,
he
said.
“We
strongly
suggest
organizations
that
rely
on
Microsoft
Exchange
Server
to
ensure
they’ve
applied
the
latest
Cumulative
Updates
for
Exchange
Server.”
RCE
Bugs
in
Microsoft
PEAP
Researchers
at
Cisco’s
Talos
threat
intelligence
group,
meanwhile,
pointed
to
three
RCE
bugs
in
Microsoft
Protected
Extensible
Authentication
Protocol
(PEAP)
as
being
among
the
most
critical
bugs
in
Microsoft’s
security
update
for
February
2023.
The
flaws,
tracked
as
CVE-2023-21689,
CVE-2023-21690
and
CVE-2023-21692,
allow
an
authenticated
attacker
to
try
and
trigger
malicious
code
in
the
context
of
the
server’s
account.
“Almost
all
Windows
versions
are
vulnerable,
including
the
latest
Windows
11,”
the
company
said
in
a
statement.
CVE-2023-21689
—
one
of
the
three
critical
vulnerabilities
in
PEAP
—
allows
attackers
to
get
server
accounts
to
trigger
malicious
code
via
a
network
call,
according
to
Automox.
“Since
this
vulnerability
is
very
likely
to
be
targeted
and
is
relatively
simple
for
attackers
to
exploit,
we
recommend
patching
or
ensuring
that
PEAP
is
not
configured
as
an
allowed
EAP
type
in
your
network
policy,”
the
company
said
in
its
post.
Affected
organizations
—
those
that
have
Windows
clients
with
Network
Policy
Server
running
and
have
a
policy
that
allows
PEAP
—
should
patch
the
flaw
within
72
hours,
Automox
advised.
About Author
