Microsoft Patch Tuesday: 36 RCE bugs, 3 zero-days, 75 CVEs
Credit to Author: Paul Ducklin| Date: Tue, 14 Feb 2023 22:12:35 +0000
Deciphering Microsoft’s official Update Guide web pages is not for the faint-hearted.
Most of the information you need, if not everything you’d really like to know, is there, but there’s such a dizzing number of ways to view it, and so many generated-on-the-fly pages are needed to display it, that it can be tricky to find out what’s truly new, and what’s truly important.
Should you search by the operating system platforms affected?
By the severity of the vulnerabilies? By the likelihood of exploitation?
Should you sort the zero-days to the top?
(We don’t think you can – we think there are three zero-days in this month’ list, but we had to drill into individual CVE pages and search for the text “Exploitation detected” in order to be sure that a specific bug was already known to cybercriminals.)
What’s worse, an EoP or an RCE?
Is a Critical elevation of privilege (EoP) bug more alarming than an Important remote code execution (RCE)?
The former type of bug requires cybercriminals to break in first, but probably gives them a way to take over completely, typically getting them the equivalent of sysadmin powers or operating system-level control.
The second type of bug might only get the crooks in with the lowly access privileges of little old you, but it nevertheless gets them onto the network in the first place.
Of course, while everyone else might breathe a sigh of relief if an attacker wasn’t able to get access to their stuff, that’s cold comfort for you, if you’re the one who did get attacked.
We counted 75 CVE-numbered bugs dated 2023-02-14, given that this year’s February updates arrived on Valentine’s Day.
(Actually, we fond 76, but we ignored one bug that didn’t have a severity rating, was tagged CVE-2019-15126, and seems to boil down to a report about unsupported Broadcom Wi-Fi chips in Microsoft Hololens devices – if you have a Hololens and have any advice for other readers, please let us know in the comments below.)
We extracted a list and included it below, sorted so that the bugs dubbed Critical are at the top (there are seven of them, all RCE-class bugs).
You can also read the SophosLabs analysis of Patch Tuesday for more details.
Security bug classes explained
If you’re not familiar with the bug abbreviations shown below, here’s a high-speed guide to security flaws:
- RCE means Remote Code Execution. Attackers who aren’t currently logged on to your computer could trick it into running a fragment of program code, or even a full-blown program, as if they had authenticated access. Typically, on desktops or servers, the criminals use this sort of bug to implant code that allows them to get back in at will in future, thus establishing a beachhead from which to kick off a network-wide attack. On mobile devices such as phones, the crooks may use RCE bugs to leave behind spyware that will track you from then on, so they don’t need to break in over and over again to keep their evil eyes on you.
- EoP means Elevation of Privilege. As mentioned above, this means crooks can boost their access rights, typically acquiring the same sort of powers that an official sysadmin or the operating itself would usually enjoy. Once they have system-level powers, they are often able to roam freely on your network, steal secure files even from restricted-access servers, create hidden user accounts for getting back in later, or map out your entire IT estate in preparation for a ransomware attack.
- Leak means that security-related or private data might escape from secure storage. Sometimes, even apparently minor leaks, such as the location of specific operating system code in memory, which an attacker isn’t supposed to be able to predict, can give criminals the information they need to turn an probably unsuccessful attack into an almost certainly successful one.
- Bypass means that a security protection you’d usually expect to keep you safe can be skirted. Crooks typically exploit bypass vulnerabilities to trick you into trusting remote content such as email attachments, for example by finding a way to avoid the “content warnings” or to circumvent the malware detection that are supposed to keep you safe.
- Spoof means that content can be made to look more trustworthy than it really is. For example, attackers who lure you to a fake website that shows up in your browser with an official server name in the address bar (or what looks like the address bar)are much likely to trick you into handing over personal data than if they’re forced to put their fake content on a site that clearly isn’t the one you’d expect.
- DoS means Denial of Service. Bugs that allow network or server services to be knocked offline temporarily are often considered low-grade flaws, assuming that the bug doesn’t then allow attackers to break in, steal data or access anything they shouldn’t. But attackers who can reliably take down parts of your network may be able to do so over and over again in a co-ordinated way, for example by timing their DoS probes to happen every time your crashed servers restart. This can be extremely disruptive, esepcially if you are running an online business, and can also be used as a distraction to draw attention away from other illegal activities that the crooks are doing on your network at the same time.
The big bug list
The 75-strong bug list is here, with the three zero-days we know about marked with an asterisk (*):
NIST ID Level Type Component affected --------------- ----------- ------ ---------------------------------------- CVE-2023-21689: (Critical) RCE Windows Protected EAP (PEAP) CVE-2023-21690: (Critical) RCE Windows Protected EAP (PEAP) CVE-2023-21692: (Critical) RCE Windows Protected EAP (PEAP) CVE-2023-21716: (Critical) RCE Microsoft Office Word CVE-2023-21803: (Critical) RCE Windows iSCSI CVE-2023-21815: (Critical) RCE Visual Studio CVE-2023-23381: (Critical) RCE Visual Studio CVE-2023-21528: (Important) RCE SQL Server CVE-2023-21529: (Important) RCE Microsoft Exchange Server CVE-2023-21568: (Important) RCE SQL Server CVE-2023-21684: (Important) RCE Microsoft PostScript Printer Driver CVE-2023-21685: (Important) RCE Microsoft WDAC OLE DB provider for SQL CVE-2023-21686: (Important) RCE Microsoft WDAC OLE DB provider for SQL CVE-2023-21694: (Important) RCE Windows Fax and Scan Service CVE-2023-21695: (Important) RCE Windows Protected EAP (PEAP) CVE-2023-21703: (Important) RCE Azure Data Box Gateway CVE-2023-21704: (Important) RCE SQL Server CVE-2023-21705: (Important) RCE SQL Server CVE-2023-21706: (Important) RCE Microsoft Exchange Server CVE-2023-21707: (Important) RCE Microsoft Exchange Server CVE-2023-21710: (Important) RCE Microsoft Exchange Server CVE-2023-21713: (Important) RCE SQL Server CVE-2023-21718: (Important) RCE SQL Server CVE-2023-21778: (Important) RCE Microsoft Dynamics CVE-2023-21797: (Important) RCE Windows ODBC Driver CVE-2023-21798: (Important) RCE Windows ODBC Driver CVE-2023-21799: (Important) RCE Microsoft WDAC OLE DB provider for SQL CVE-2023-21801: (Important) RCE Microsoft PostScript Printer Driver CVE-2023-21802: (Important) RCE Microsoft Windows Codecs Library CVE-2023-21805: (Important) RCE Windows MSHTML Platform CVE-2023-21808: (Important) RCE .NET and Visual Studio CVE-2023-21820: (Important) RCE Windows Distributed File System (DFS) CVE-2023-21823: (Important) *RCE Microsoft Graphics Component CVE-2023-23377: (Important) RCE 3D Builder CVE-2023-23378: (Important) RCE 3D Builder CVE-2023-23390: (Important) RCE 3D Builder CVE-2023-21566: (Important) EoP Visual Studio CVE-2023-21688: (Important) EoP Windows ALPC CVE-2023-21717: (Important) EoP Microsoft Office SharePoint CVE-2023-21777: (Important) EoP Azure App Service CVE-2023-21800: (Important) EoP Windows Installer CVE-2023-21804: (Important) EoP Microsoft Graphics Component CVE-2023-21812: (Important) EoP Windows Common Log File System Driver CVE-2023-21817: (Important) EoP Windows Kerberos CVE-2023-21822: (Important) EoP Windows Win32K CVE-2023-23376: (Important) *EoP Windows Common Log File System Driver CVE-2023-23379: (Important) EoP Microsoft Defender for IoT CVE-2023-21687: (Important) Leak Windows HTTP.sys CVE-2023-21691: (Important) Leak Windows Protected EAP (PEAP) CVE-2023-21693: (Important) Leak Microsoft PostScript Printer Driver CVE-2023-21697: (Important) Leak Internet Storage Name Service CVE-2023-21699: (Important) Leak Internet Storage Name Service CVE-2023-21714: (Important) Leak Microsoft Office CVE-2023-23382: (Important) Leak Azure Machine Learning CVE-2023-21715: (Important) *Bypass Microsoft Office Publisher CVE-2023-21809: (Important) Bypass Microsoft Defender for Endpoint CVE-2023-21564: (Important) Spoof Azure DevOps CVE-2023-21570: (Important) Spoof Microsoft Dynamics CVE-2023-21571: (Important) Spoof Microsoft Dynamics CVE-2023-21572: (Important) Spoof Microsoft Dynamics CVE-2023-21573: (Important) Spoof Microsoft Dynamics CVE-2023-21721: (Important) Spoof Microsoft Office OneNote CVE-2023-21806: (Important) Spoof Power BI CVE-2023-21807: (Important) Spoof Microsoft Dynamics CVE-2023-21567: (Important) DoS Visual Studio CVE-2023-21700: (Important) DoS Windows iSCSI CVE-2023-21701: (Important) DoS Windows Protected EAP (PEAP) CVE-2023-21702: (Important) DoS Windows iSCSI CVE-2023-21722: (Important) DoS .NET Framework CVE-2023-21811: (Important) DoS Windows iSCSI CVE-2023-21813: (Important) DoS Windows Cryptographic Services CVE-2023-21816: (Important) DoS Windows Active Directory CVE-2023-21818: (Important) DoS Windows SChannel CVE-2023-21819: (Important) DoS Windows Cryptographic Services CVE-2023-21553: (Unknown ) RCE Azure DevOps
What to do?
Business users like to prioritise patches, rather than doing them all at once and hoping nothing breaks; we therefore put the Critical bugs at the top, along with the RCE holes, given that RCEs are typically used by crooks to get their initial foothold.
In the end, however, all bugs need to be patched, especially now that the updates are available and attackers can start “working backwards” by trying to figure out from the patches what sort of holes existed before the updates came out.
Reverse engineering Windows patches can be time-consuming, not least because Windows is a closed-source operating system, but it’s an awful lot easier to figure out how bugs work and how to exploit them if you’ve got a good idea where to start looking, and what to look for.
The sooner you get ahead (or the quicker you catch up, in the case of zero-day holes, which are bugs that the crooks found first), the less likely you’ll be the one who gets attacked.
So even if you don’t patch everything at once, we’re nevertheless going to say: Don’t delay/Get started today!
READ THE SOPHOSLABS ANALYSIS OF PATCH TUESDAY FOR MORE DETAILS