Deciphering
Microsoft’s
official
Update
Guide
web
pages
is
not
for
the
faint-hearted.
Most
of
the
information
you
need,
if
not
everything
you’d
really
like
to
know,
is
there,
but
there’s
such
a
dizzing
number
of
ways
to
view
it,
and
so
many
generated-on-the-fly
pages
are
needed
to
display
it,
that
it
can
be
tricky
to
find
out
what’s
truly
new,
and
what’s
truly
important.
Should
you
search
by
the
operating
system
platforms
affected?
By
the
severity
of
the
vulnerabilies?
By
the
likelihood
of
exploitation?
Should
you
sort
the
zero-days
to
the
top?
(We
don’t
think
you
can
–
we
think
there
are
three
zero-days
in
this
month’
list,
but
we
had
to
drill
into
individual
CVE
pages
and
search
for
the
text
“Exploitation
detected”
in
order
to
be
sure
that
a
specific
bug
was
already
known
to
cybercriminals.)
What’s
worse,
an
EoP
or
an
RCE?
Is
a
Critical
elevation
of
privilege
(EoP)
bug
more
alarming
than
an
Important
remote
code
execution
(RCE)?
The
former
type
of
bug
requires
cybercriminals
to
break
in
first,
but
probably
gives
them
a
way
to
take
over
completely,
typically
getting
them
the
equivalent
of
sysadmin
powers
or
operating
system-level
control.
The
second
type
of
bug
might
only
get
the
crooks
in
with
the
lowly
access
privileges
of
little
old
you,
but
it
nevertheless
gets
them
onto
the
network
in
the
first
place.
Of
course,
while
everyone
else
might
breathe
a
sigh
of
relief
if
an
attacker
wasn’t
able
to
get
access
to
their
stuff,
that’s
cold
comfort
for
you,
if
you’re
the
one
who
did
get
attacked.
We
counted
75
CVE-numbered
bugs
dated
2023-02-14,
given
that
this
year’s
February
updates
arrived
on
Valentine’s
Day.
(Actually,
we
fond
76,
but
we
ignored
one
bug
that
didn’t
have
a
severity
rating,
was
tagged
CVE-2019-15126,
and
seems
to
boil
down
to
a
report
about
unsupported
Broadcom
Wi-Fi
chips
in
Microsoft
Hololens
devices
–
if
you
have
a
Hololens
and
have
any
advice
for
other
readers,
please
let
us
know
in
the
comments
below.)
We
extracted
a
list
and
included
it
below,
sorted
so
that
the
bugs
dubbed
Critical
are
at
the
top
(there
are
seven
of
them,
all
RCE-class
bugs).
You
can
also
read
the
SophosLabs
analysis
of
Patch
Tuesday
for
more
details.
Security
bug
classes
explained
If
you’re
not
familiar
with
the
bug
abbreviations
shown
below,
here’s
a
high-speed
guide
to
security
flaws:
-
RCE
means
Remote
Code
Execution.
Attackers
who
aren’t
currently
logged
on
to
your
computer
could
trick
it
into
running
a
fragment
of
program
code,
or
even
a
full-blown
program,
as
if
they
had
authenticated
access.
Typically,
on
desktops
or
servers,
the
criminals
use
this
sort
of
bug
to
implant
code
that
allows
them
to
get
back
in
at
will
in
future,
thus
establishing
a
beachhead
from
which
to
kick
off
a
network-wide
attack.
On
mobile
devices
such
as
phones,
the
crooks
may
use
RCE
bugs
to
leave
behind
spyware
that
will
track
you
from
then
on,
so
they
don’t
need
to
break
in
over
and
over
again
to
keep
their
evil
eyes
on
you. -
EoP
means
Elevation
of
Privilege.
As
mentioned
above,
this
means
crooks
can
boost
their
access
rights,
typically
acquiring
the
same
sort
of
powers
that
an
official
sysadmin
or
the
operating
itself
would
usually
enjoy.
Once
they
have
system-level
powers,
they
are
often
able
to
roam
freely
on
your
network,
steal
secure
files
even
from
restricted-access
servers,
create
hidden
user
accounts
for
getting
back
in
later,
or
map
out
your
entire
IT
estate
in
preparation
for
a
ransomware
attack. -
Leak
means
that
security-related
or
private
data
might
escape
from
secure
storage.
Sometimes,
even
apparently
minor
leaks,
such
as
the
location
of
specific
operating
system
code
in
memory,
which
an
attacker
isn’t
supposed
to
be
able
to
predict,
can
give
criminals
the
information
they
need
to
turn
an
probably
unsuccessful
attack
into
an
almost
certainly
successful
one. -
Bypass
means
that
a
security
protection
you’d
usually
expect
to
keep
you
safe
can
be
skirted.
Crooks
typically
exploit
bypass
vulnerabilities
to
trick
you
into
trusting
remote
content
such
as
email
attachments,
for
example
by
finding
a
way
to
avoid
the
“content
warnings”
or
to
circumvent
the
malware
detection
that
are
supposed
to
keep
you
safe. -
Spoof
means
that
content
can
be
made
to
look
more
trustworthy
than
it
really
is.
For
example,
attackers
who
lure
you
to
a
fake
website
that
shows
up
in
your
browser
with
an
official
server
name
in
the
address
bar
(or
what
looks
like
the
address
bar)are
much
likely
to
trick
you
into
handing
over
personal
data
than
if
they’re
forced
to
put
their
fake
content
on
a
site
that
clearly
isn’t
the
one
you’d
expect. -
DoS
means
Denial
of
Service.
Bugs
that
allow
network
or
server
services
to
be
knocked
offline
temporarily
are
often
considered
low-grade
flaws,
assuming
that
the
bug
doesn’t
then
allow
attackers
to
break
in,
steal
data
or
access
anything
they
shouldn’t.
But
attackers
who
can
reliably
take
down
parts
of
your
network
may
be
able
to
do
so
over
and
over
again
in
a
co-ordinated
way,
for
example
by
timing
their
DoS
probes
to
happen
every
time
your
crashed
servers
restart.
This
can
be
extremely
disruptive,
esepcially
if
you
are
running
an
online
business,
and
can
also
be
used
as
a
distraction
to
draw
attention
away
from
other
illegal
activities
that
the
crooks
are
doing
on
your
network
at
the
same
time.
The
big
bug
list
The
75-strong
bug
list
is
here,
with
the
three
zero-days
we
know
about
marked
with
an
asterisk
(*):
NIST ID Level Type Component affected --------------- ----------- ------ ---------------------------------------- CVE-2023-21689: (Critical) RCE Windows Protected EAP (PEAP) CVE-2023-21690: (Critical) RCE Windows Protected EAP (PEAP) CVE-2023-21692: (Critical) RCE Windows Protected EAP (PEAP) CVE-2023-21716: (Critical) RCE Microsoft Office Word CVE-2023-21803: (Critical) RCE Windows iSCSI CVE-2023-21815: (Critical) RCE Visual Studio CVE-2023-23381: (Critical) RCE Visual Studio CVE-2023-21528: (Important) RCE SQL Server CVE-2023-21529: (Important) RCE Microsoft Exchange Server CVE-2023-21568: (Important) RCE SQL Server CVE-2023-21684: (Important) RCE Microsoft PostScript Printer Driver CVE-2023-21685: (Important) RCE Microsoft WDAC OLE DB provider for SQL CVE-2023-21686: (Important) RCE Microsoft WDAC OLE DB provider for SQL CVE-2023-21694: (Important) RCE Windows Fax and Scan Service CVE-2023-21695: (Important) RCE Windows Protected EAP (PEAP) CVE-2023-21703: (Important) RCE Azure Data Box Gateway CVE-2023-21704: (Important) RCE SQL Server CVE-2023-21705: (Important) RCE SQL Server CVE-2023-21706: (Important) RCE Microsoft Exchange Server CVE-2023-21707: (Important) RCE Microsoft Exchange Server CVE-2023-21710: (Important) RCE Microsoft Exchange Server CVE-2023-21713: (Important) RCE SQL Server CVE-2023-21718: (Important) RCE SQL Server CVE-2023-21778: (Important) RCE Microsoft Dynamics CVE-2023-21797: (Important) RCE Windows ODBC Driver CVE-2023-21798: (Important) RCE Windows ODBC Driver CVE-2023-21799: (Important) RCE Microsoft WDAC OLE DB provider for SQL CVE-2023-21801: (Important) RCE Microsoft PostScript Printer Driver CVE-2023-21802: (Important) RCE Microsoft Windows Codecs Library CVE-2023-21805: (Important) RCE Windows MSHTML Platform CVE-2023-21808: (Important) RCE .NET and Visual Studio CVE-2023-21820: (Important) RCE Windows Distributed File System (DFS) CVE-2023-21823: (Important) *RCE Microsoft Graphics Component CVE-2023-23377: (Important) RCE 3D Builder CVE-2023-23378: (Important) RCE 3D Builder CVE-2023-23390: (Important) RCE 3D Builder CVE-2023-21566: (Important) EoP Visual Studio CVE-2023-21688: (Important) EoP Windows ALPC CVE-2023-21717: (Important) EoP Microsoft Office SharePoint CVE-2023-21777: (Important) EoP Azure App Service CVE-2023-21800: (Important) EoP Windows Installer CVE-2023-21804: (Important) EoP Microsoft Graphics Component CVE-2023-21812: (Important) EoP Windows Common Log File System Driver CVE-2023-21817: (Important) EoP Windows Kerberos CVE-2023-21822: (Important) EoP Windows Win32K CVE-2023-23376: (Important) *EoP Windows Common Log File System Driver CVE-2023-23379: (Important) EoP Microsoft Defender for IoT CVE-2023-21687: (Important) Leak Windows HTTP.sys CVE-2023-21691: (Important) Leak Windows Protected EAP (PEAP) CVE-2023-21693: (Important) Leak Microsoft PostScript Printer Driver CVE-2023-21697: (Important) Leak Internet Storage Name Service CVE-2023-21699: (Important) Leak Internet Storage Name Service CVE-2023-21714: (Important) Leak Microsoft Office CVE-2023-23382: (Important) Leak Azure Machine Learning CVE-2023-21715: (Important) *Bypass Microsoft Office Publisher CVE-2023-21809: (Important) Bypass Microsoft Defender for Endpoint CVE-2023-21564: (Important) Spoof Azure DevOps CVE-2023-21570: (Important) Spoof Microsoft Dynamics CVE-2023-21571: (Important) Spoof Microsoft Dynamics CVE-2023-21572: (Important) Spoof Microsoft Dynamics CVE-2023-21573: (Important) Spoof Microsoft Dynamics CVE-2023-21721: (Important) Spoof Microsoft Office OneNote CVE-2023-21806: (Important) Spoof Power BI CVE-2023-21807: (Important) Spoof Microsoft Dynamics CVE-2023-21567: (Important) DoS Visual Studio CVE-2023-21700: (Important) DoS Windows iSCSI CVE-2023-21701: (Important) DoS Windows Protected EAP (PEAP) CVE-2023-21702: (Important) DoS Windows iSCSI CVE-2023-21722: (Important) DoS .NET Framework CVE-2023-21811: (Important) DoS Windows iSCSI CVE-2023-21813: (Important) DoS Windows Cryptographic Services CVE-2023-21816: (Important) DoS Windows Active Directory CVE-2023-21818: (Important) DoS Windows SChannel CVE-2023-21819: (Important) DoS Windows Cryptographic Services CVE-2023-21553: (Unknown ) RCE Azure DevOps
What
to
do?
Business
users
like
to
prioritise
patches,
rather
than
doing
them
all
at
once
and
hoping
nothing
breaks;
we
therefore
put
the
Critical
bugs
at
the
top,
along
with
the
RCE
holes,
given
that
RCEs
are
typically
used
by
crooks
to
get
their
initial
foothold.
In
the
end,
however,
all
bugs
need
to
be
patched,
especially
now
that
the
updates
are
available
and
attackers
can
start
“working
backwards”
by
trying
to
figure
out
from
the
patches
what
sort
of
holes
existed
before
the
updates
came
out.
Reverse
engineering
Windows
patches
can
be
time-consuming,
not
least
because
Windows
is
a
closed-source
operating
system,
but
it’s
an
awful
lot
easier
to
figure
out
how
bugs
work
and
how
to
exploit
them
if
you’ve
got
a
good
idea
where
to
start
looking,
and
what
to
look
for.
The
sooner
you
get
ahead
(or
the
quicker
you
catch
up,
in
the
case
of
zero-day
holes,
which
are
bugs
that
the
crooks
found
first),
the
less
likely
you’ll
be
the
one
who
gets
attacked.
So
even
if
you
don’t
patch
everything
at
once,
we’re
nevertheless
going
to
say:
Don’t
delay/Get
started
today!
READ
THE
SOPHOSLABS
ANALYSIS
OF
PATCH
TUESDAY
FOR
MORE
DETAILS
About Author
