Three zero-days require urgent attention for Windows, Exchange
Microsoft’s
February
Patch
Tuesday
update
deals
with
76
vulnerabilities
that
affect
Windows,
Exchange,
Office,
and
Microsoft
development
tools
—
and
three
Windows
vulnerabilities
(CVE-2023-21823,
CVE-2023-21715
and
CVE-2023-23376)
have
been
repor
Microsoft’s
February
Patch
Tuesday
update
deals
with
76
vulnerabilities
that
affect
Windows,
Exchange,
Office,
and
Microsoft
development
tools
—
and
three
Windows
vulnerabilities
(CVE-2023-21823,
CVE-2023-21715
and
CVE-2023-23376)
have
been
reported
as
exploited
in
the
wild
and
require
immediate
attention.
Though
it
gets
a
lower
rating
from
Microsoft,
the
Exchange
issues
also
warrant
a
rapid
response.
Meanwhile,
the
Microsoft
Office
and
development
platform
updates
can
be
added
to
your
regular
release
schedule.
The
team
at
Readiness
has
provided this infographic
that
outlines
the
risks
associated
with
each
of
the
updates
in
this
month’s
update.
Known
issues
Microsoft
includes
a
list
of
known
issues
that
relate
to
the
operating
system
and
platforms
in
the
latest
updates:
-
XPS
documents
that
utilize
structural
or
semantic
elements
like
table
structure,
storyboards,
or
hyperlinks
may
not
display
correctly
in
WPF-based
readers.
To
address
this
issue,
Microsoft
provided
a
PowerShell
script
where
you
can
run
the
command:
.kb5022083-compat.ps1
-Install.
This
command
adds
the
following
registry
key:
“HKLMSOFTWAREMicrosoft.NETFrameworkWindows
Presentation
FoundationXPSAllowedTypes”
/v
“DisableDec2022Patch”
/t
REG_SZ
/d
“*”
/reg:64 -
Copying
large
multiple-gigabyte
files
might
take
longer
than
expected
to
finish
in
Windows
11
version
22H2.
You
are
more
likely
to
experience
this
issue
copying
files
from
a
network
share
via
Server
Message
Block
(SMB),
but
local
file
copy
might
also
be
affected.
If
you
are
still
using
Microsoft’s
Windows
Server
2012
for
domain
authentication,
you
may
experience
the
following
known
issue:
domain
join
operations
might
be
unsuccessful
and
error
“0xaac
(2732):
NERR_AccountReuseBlockedByPolicy”
occurs.
Additionally,
text
saying,
“An
account
with
the
same
name
exists
in
Active
Directory.
Re-using
the
account
was
blocked
by
security
policy”
might
be
displayed.
Microsoft
has
provided
additional
guidance
(KB5020276)
on
managing
this
issue
as
part
of
the
ESU
program.
Major
revisions
Microsoft
published
three
major
revisions
this
month:
-
CVE-2023-21705
and
CVE-2023-21713:
Microsoft
SQL
Server
Remote
Code
Execution
Vulnerability.
These
revisions
extend
support
for
legacy
(ESU)
SQL
products.
No
further
action
required. -
CVE-2023-21721:
Microsoft
OneNote
Elevation
of
Privilege
Vulnerability.
This
is
a
minor
informational
change
—
no
action
necessary.
Mitigations
and
workarounds
Microsoft
has
published
the
following
vulnerability-related
mitigations
for
this
release:
-
CVE-2023-21804:
Windows
Graphics
Component
Elevation
of
Privilege
Vulnerability.
Only
Windows
computers
that
have
the
XPS
document
writer
feature
installed
are
vulnerable.
In
Windows
10,
the
XPS
Document
Writer
is
installed
by
default;
in
Windows
11,
it
is
not. -
CVE-2023-21803:
Windows
iSCSI
Discovery
Service
Remote
Code
Execution
Vulnerability.
By
default,
the
iSCSI
Initiator
client
application
is
disabled
and
cannot
be
exploited.
For
a
system
to
be
vulnerable,
the
iSCSI
Initiator
client
application
would
need
to
be
enabled. -
CVE-2023-21713,
CVE2023-21705:
Microsoft
SQL
Server
Remote
Code
Execution
Vulnerability.
This
is
only
exploitable
if
this
optional
feature
is
enabled
and
running
on
a
SQL
instance.
(The
feature
is
not
available
in
Azure
SQL
instances.) -
CVE-2023-21692,
CVE-2023-21690
and
CVE-2023-21689:
Microsoft
Protected
Extensible
Authentication
Protocol
(PEAP)
Remote
Code
Execution.
PEAP
is
only
negotiated
with
the
client
if
NPS
is
running
on
the
Windows
Server
and
has
a
network
policy
configured
that
allows
PEAP
vulnerability.
Learn
more
about
configuring
Microsoft
PEAP
here.
Testing
guidance
Each
month,
the
team
at
Readiness
analyses
the
latest
Patch
Tuesday
updates
and
provides
detailed,
actionable
testing
guidance.
This
is
based
on
assessing
a
large
application
portfolio
and
a
detailed
analysis
of
the
Microsoft
patches
and
their
potential
impact
on
Windows
and
application
installations.
Given
the
large
number
of
changes
included
this
month,
I
have
broken
down
the
testing
scenarios
into
high-risk
and
standard-risk
groups:
High
Risk
As
all
the
high-risk
changes
affect
the
Windows
printing
subsystem
again
this
month,
we
have
not
seen
any
published
functionality
changes.
We
strongly
recommend
the
following
printing
focused
testing:
-
The
Microsoft
“MS
Publisher
Imagesetter”
has
been
updated
significantly.
These
are
built-in
drivers
that
are
now
over
a
decade
old.
There
have
been
reports
of
bad
printing
quality
from
using
these
drivers,
so
an
update
was
definitely
needed. -
Test
printing
using
V3
printer
drivers
with
both
color
and
black/white.
Check
for
missing
content. -
There’s
been
an
update
to
how
Windows
handles
URLs,
especially
when
printing.
A
quick
run-through
of
opening
web
pages
that
reference
Microsoft
Word,
PowerPoint,
and
Excel
and
then
exercising
a
simple
print
job
should
highlight
any
issues.
All
these
scenarios
will
require
significant
application-level
testing
before
a
general
deployment
of
the
update.
In
addition,
we
suggest
a
general
test
of
the
following
printing
features:
-
32-bit
applications
that
require
printing
on
64-bit
devices
require
testing.
Pay
attention
to
application
exit
as
this
may
generate
memory
related
errors. -
Test
your
backup
systems
and
ensure
that
your
error
and
related
system
logs
appear
correct. -
Test
your
VPN
connections
if
you
are
using
the
PEAP
protocol.
This
protocol
changes
frequently,
we
recommend
that
you
subscribe
to
the
Microsoft
RSS
feed
for
future
changes. -
Test
your
ODBC
connections,
database,
and
SQL
commands.
Though
you
won’t
have
to
conduct
large
file
transfer
testing
this
month,
we
highly
recommend
testing
(very)
long
UNC
paths
from
different
machines.
Our
focus
was
on
network
paths
accessing
multiple
machines
across
different
versions
of
Windows.
In
addition
to
these
scenarios,
Microsoft
updated
the
system kernel
and
core
graphics
components
(GDI).
Definitely
“smoke
test”
your
core
or
line-of-business
apps
and
pay
attention
to
graphics-intensive
applications.
Given
the
rapid
changes
and
frequent
updates
to
applications
(and
their
dependencies)
in
a
modern
application
portfolio,
ensure
that
your
systems
are
“cleanly”
uninstalling
previous
application
versions.
Leaving
legacy
applications
or
remnant
components
could
expose
your
system
to
patched
vulnerabilities.
Windows
lifecycle
update
This
section
contains
important
changes
to
servicing
(and
most
security
updates)
to
Windows
desktop
and
server
platforms.
With
Windows
10
21H2
now
out
of
mainstream
support,
the
following
Microsoft
applications
will
reach
end
of
mainstream
support
or
servicing
in
2023:
-
Visio
Services
in
SharePoint
(in
Microsoft
365)
—
Feb.
10,
2023
(retired); -
Microsoft
Endpoint
Configuration
Manager,
Version
2107
—
Feb
2,
2023
(end
of
service).
Each
month,
we
break
down
the
update
cycle
into
product
families
(as
defined
by
Microsoft)
with
the
following
basic
groupings:
-
Browsers
(Microsoft
IE
and
Edge). -
Microsoft
Windows
(both
desktop
and
server). -
Microsoft
Office. -
Microsoft
Exchange
Server. -
Microsoft
Development
platforms
(
ASP.NET
Core,
.NET
Core
and
Chakra
Core). -
Adobe
(retired???,
maybe
next
year).
Browsers
Microsoft
released
three
updates
to
its
(Chromium)
Edge
browser: CVE-2023-21794,
CVE-2023-23374
and
CVE-2023-21720
.
You
can
find
Microsoft’s
version
of these
release
notes here
and
the Google
Desktop
channel
release
notes here.
There
were
no
other
updates
to
Microsoft
browser
(or
rendering
engines)
this
month.
Add
these
updates
to
your
standard
patch
release
schedule.
Windows
Microsoft
released
four
critical
updates
and
32
“important”
patches
to
the
Windows
platform
that
cover
the
following
key
components:
-
Microsoft
PostScript
Printer
Driver
(with
updates
to
FAX
and
SCAN); -
Windows
ODBC,
OLE,
WDAC
Driver; -
Windows
Common
Log
File
System
Driver; -
and
Windows
Cryptographic
Services
and
Kerberos.
While
the
Microsoft
PEAP
authentication
remote
code
vulnerabilities
(CVE-2023-21689
and
CVE2023-21690)
are
the
most
worrisome,
the
remaining
updates
that
solely
affect
Windows
are
not
as
dangerous
as
we’ve
seen
in
the
past.
Unfortunately,
three
Windows
vulnerabilities
(CVE-2023-21823,
CVE-2023-21715
and
CVE-2023-23376)
have
been
reported
as
exploited
in
the
wild.
As
a
consequence,
add
this
update
to
your
“Patch
Now”
release
schedule.
Microsoft
Office
Microsoft
released
a
patch
addressing
a
critical
vulnerability
(CVE-2023-21706)
in
Microsoft
Word
that
could
lead
to
remote
code
execution.
There
are
five
other
updates
for
the
Office
platform
(including
SharePoint),
all
rated
important.
We
have
not
had
any
reports
of
exploits
in
the
wild
for
the
critical
Word
issue,
so
we
recommend
that
you
add
these
Office
updates
to
your
standard-release
schedule.
Microsoft
Exchange
Server
We
are
going
to
have
to
break
some
rules
this
month.
Microsoft
has
released
four
patches
to
Microsoft
Exchange
Server
(CVE-2023-21706,
CVE-2023-21707,
CVE-2023-21529,
CVE-2023-21710)
all
of
which
are
rated
important.
Unfortunately,
CVE-2023-21529
could
lead
to
remote
code
execution
and
really
could
be
classed
as
a
critical
vulnerability.
This
vulnerability
does
not
require
user
interaction,
is
accessible
via
remote
systems
and
does
not
require
local
privileges
on
the
local
system.
All
supported
versions
of
Exchange
are
vulnerable.
We
are
seeing
reports
of
Exchange
crypto-mining
attacks
already.
We
are
going
to
add
CVE-2023-21529
to
our
“Patch
Now”
schedule.
Microsoft
development
platforms
Microsoft
released
three
critical
updates
affecting
Visual
Studio
and
.NET
(CVE-2023-21808,
CVE-2023-21815
and
CVE-2023-23381)
that
could
lead
to
arbitrary
code
execution.
On
initial
examination,
it
appears
that
these
were
remote
accessible,
significantly
raising
the
risks,
but
these
developer-related
vulnerabilities
all
require
local
access.
Coupled
with
five
other
elevation
of
privilege
vulnerabilities
also
affecting
Microsoft
Visual
Studio
(all
rated
important)
as
well,
we
don’t
see
an
urgent
patch
requirement.
Add
these
updates
to
your
standard
developer
release
schedule.
Adobe
Reader
(still
here,
but
just
not
this
month)
No
updates
from
Adobe
for
Reader
or
Acrobat
this
month.
That
said,
Adobe
has
released
a
number
of
security
updates
for
its
other
products
with
APSB23-02.
I
think
that
we
have
enough
printing
and
some
Microsoft
XPS issues to
test
and
deploy
to
keep
us
busy.
About Author
