Microsoft Patch Tuesday: 36 RCE bugs, 3 zero-days, 75 CVEs

Credit to Author: Paul Ducklin| Date: Tue, 14 Feb 2023 22:12:35 +0000

Deciphering Microsoft’s official Update Guide web pages is not for the faint-hearted.

Most of the information you need, if not everything you’d really like to know, is there, but there’s such a dizzing number of ways to view it, and so many generated-on-the-fly pages are needed to display it, that it can be tricky to find out what’s truly new, and what’s truly important.

Should you search by the operating system platforms affected?

By the severity of the vulnerabilies? By the likelihood of exploitation?

Should you sort the zero-days to the top?

(We don’t think you can – we think there are three zero-days in this month’ list, but we had to drill into individual CVE pages and search for the text “Exploitation detected” in order to be sure that a specific bug was already known to cybercriminals.)

What’s worse, an EoP or an RCE?

Is a Critical elevation of privilege (EoP) bug more alarming than an Important remote code execution (RCE)?

The former type of bug requires cybercriminals to break in first, but probably gives them a way to take over completely, typically getting them the equivalent of sysadmin powers or operating system-level control.

The second type of bug might only get the crooks in with the lowly access privileges of little old you, but it nevertheless gets them onto the network in the first place.

Of course, while everyone else might breathe a sigh of relief if an attacker wasn’t able to get access to their stuff, that’s cold comfort for you, if you’re the one who did get attacked.

We counted 75 CVE-numbered bugs dated 2023-02-14, given that this year’s February updates arrived on Valentine’s Day.

(Actually, we fond 76, but we ignored one bug that didn’t have a severity rating, was tagged CVE-2019-15126, and seems to boil down to a report about unsupported Broadcom Wi-Fi chips in Microsoft Hololens devices – if you have a Hololens and have any advice for other readers, please let us know in the comments below.)

We extracted a list and included it below, sorted so that the bugs dubbed Critical are at the top (there are seven of them, all RCE-class bugs).

You can also read the SophosLabs analysis of Patch Tuesday for more details.



Security bug classes explained

If you’re not familiar with the bug abbreviations shown below, here’s a high-speed guide to security flaws:

  • RCE means Remote Code Execution. Attackers who aren’t currently logged on to your computer could trick it into running a fragment of program code, or even a full-blown program, as if they had authenticated access. Typically, on desktops or servers, the criminals use this sort of bug to implant code that allows them to get back in at will in future, thus establishing a beachhead from which to kick off a network-wide attack. On mobile devices such as phones, the crooks may use RCE bugs to leave behind spyware that will track you from then on, so they don’t need to break in over and over again to keep their evil eyes on you.
  • EoP means Elevation of Privilege. As mentioned above, this means crooks can boost their access rights, typically acquiring the same sort of powers that an official sysadmin or the operating itself would usually enjoy. Once they have system-level powers, they are often able to roam freely on your network, steal secure files even from restricted-access servers, create hidden user accounts for getting back in later, or map out your entire IT estate in preparation for a ransomware attack.
  • Leak means that security-related or private data might escape from secure storage. Sometimes, even apparently minor leaks, such as the location of specific operating system code in memory, which an attacker isn’t supposed to be able to predict, can give criminals the information they need to turn an probably unsuccessful attack into an almost certainly successful one.
  • Bypass means that a security protection you’d usually expect to keep you safe can be skirted. Crooks typically exploit bypass vulnerabilities to trick you into trusting remote content such as email attachments, for example by finding a way to avoid the “content warnings” or to circumvent the malware detection that are supposed to keep you safe.
  • Spoof means that content can be made to look more trustworthy than it really is. For example, attackers who lure you to a fake website that shows up in your browser with an official server name in the address bar (or what looks like the address bar)are much likely to trick you into handing over personal data than if they’re forced to put their fake content on a site that clearly isn’t the one you’d expect.
  • DoS means Denial of Service. Bugs that allow network or server services to be knocked offline temporarily are often considered low-grade flaws, assuming that the bug doesn’t then allow attackers to break in, steal data or access anything they shouldn’t. But attackers who can reliably take down parts of your network may be able to do so over and over again in a co-ordinated way, for example by timing their DoS probes to happen every time your crashed servers restart. This can be extremely disruptive, esepcially if you are running an online business, and can also be used as a distraction to draw attention away from other illegal activities that the crooks are doing on your network at the same time.

The big bug list

The 75-strong bug list is here, with the three zero-days we know about marked with an asterisk (*):

  NIST ID          Level        Type    Component affected  ---------------  -----------  ------  ----------------------------------------  CVE-2023-21689:  (Critical)   RCE     Windows Protected EAP (PEAP) 	  CVE-2023-21690:  (Critical)   RCE     Windows Protected EAP (PEAP) 	  CVE-2023-21692:  (Critical)   RCE     Windows Protected EAP (PEAP) 	  CVE-2023-21716:  (Critical)   RCE     Microsoft Office Word 	  CVE-2023-21803:  (Critical)   RCE     Windows iSCSI 	  CVE-2023-21815:  (Critical)   RCE     Visual Studio 	  CVE-2023-23381:  (Critical)   RCE     Visual Studio 	  CVE-2023-21528:  (Important)  RCE     SQL Server 	  CVE-2023-21529:  (Important)  RCE     Microsoft Exchange Server 	  CVE-2023-21568:  (Important)  RCE     SQL Server 	  CVE-2023-21684:  (Important)  RCE     Microsoft PostScript Printer Driver 	  CVE-2023-21685:  (Important)  RCE     Microsoft WDAC OLE DB provider for SQL 	  CVE-2023-21686:  (Important)  RCE     Microsoft WDAC OLE DB provider for SQL 	  CVE-2023-21694:  (Important)  RCE     Windows Fax and Scan Service 	  CVE-2023-21695:  (Important)  RCE     Windows Protected EAP (PEAP) 	  CVE-2023-21703:  (Important)  RCE     Azure Data Box Gateway 	  CVE-2023-21704:  (Important)  RCE     SQL Server 	  CVE-2023-21705:  (Important)  RCE     SQL Server 	  CVE-2023-21706:  (Important)  RCE     Microsoft Exchange Server 	  CVE-2023-21707:  (Important)  RCE     Microsoft Exchange Server 	  CVE-2023-21710:  (Important)  RCE     Microsoft Exchange Server 	  CVE-2023-21713:  (Important)  RCE     SQL Server 	  CVE-2023-21718:  (Important)  RCE     SQL Server 	  CVE-2023-21778:  (Important)  RCE     Microsoft Dynamics 	  CVE-2023-21797:  (Important)  RCE     Windows ODBC Driver 	  CVE-2023-21798:  (Important)  RCE     Windows ODBC Driver 	  CVE-2023-21799:  (Important)  RCE     Microsoft WDAC OLE DB provider for SQL 	  CVE-2023-21801:  (Important)  RCE     Microsoft PostScript Printer Driver 	  CVE-2023-21802:  (Important)  RCE     Microsoft Windows Codecs Library 	  CVE-2023-21805:  (Important)  RCE     Windows MSHTML Platform 	  CVE-2023-21808:  (Important)  RCE     .NET and Visual Studio 	  CVE-2023-21820:  (Important)  RCE     Windows Distributed File System (DFS) 	  CVE-2023-21823:  (Important) *RCE     Microsoft Graphics Component  CVE-2023-23377:  (Important)  RCE     3D Builder 	  CVE-2023-23378:  (Important)  RCE     3D Builder 	  CVE-2023-23390:  (Important)  RCE     3D Builder 	  CVE-2023-21566:  (Important)  EoP     Visual Studio 	  CVE-2023-21688:  (Important)  EoP     Windows ALPC 	  CVE-2023-21717:  (Important)  EoP     Microsoft Office SharePoint 	  CVE-2023-21777:  (Important)  EoP     Azure App Service 	  CVE-2023-21800:  (Important)  EoP     Windows Installer 	  CVE-2023-21804:  (Important)  EoP     Microsoft Graphics Component 	  CVE-2023-21812:  (Important)  EoP     Windows Common Log File System Driver 	  CVE-2023-21817:  (Important)  EoP     Windows Kerberos 	  CVE-2023-21822:  (Important)  EoP     Windows Win32K 	  CVE-2023-23376:  (Important) *EoP     Windows Common Log File System Driver 	  CVE-2023-23379:  (Important)  EoP     Microsoft Defender for IoT 	  CVE-2023-21687:  (Important)  Leak    Windows HTTP.sys 	  CVE-2023-21691:  (Important)  Leak    Windows Protected EAP (PEAP) 	  CVE-2023-21693:  (Important)  Leak    Microsoft PostScript Printer Driver 	  CVE-2023-21697:  (Important)  Leak    Internet Storage Name Service 	  CVE-2023-21699:  (Important)  Leak    Internet Storage Name Service 	  CVE-2023-21714:  (Important)  Leak    Microsoft Office 	  CVE-2023-23382:  (Important)  Leak    Azure Machine Learning 	  CVE-2023-21715:  (Important) *Bypass  Microsoft Office Publisher   CVE-2023-21809:  (Important)  Bypass  Microsoft Defender for Endpoint 	  CVE-2023-21564:  (Important)  Spoof   Azure DevOps 	  CVE-2023-21570:  (Important)  Spoof   Microsoft Dynamics 	  CVE-2023-21571:  (Important)  Spoof   Microsoft Dynamics 	  CVE-2023-21572:  (Important)  Spoof   Microsoft Dynamics 	  CVE-2023-21573:  (Important)  Spoof   Microsoft Dynamics 	  CVE-2023-21721:  (Important)  Spoof   Microsoft Office OneNote 	  CVE-2023-21806:  (Important)  Spoof   Power BI 	  CVE-2023-21807:  (Important)  Spoof   Microsoft Dynamics 	  CVE-2023-21567:  (Important)  DoS     Visual Studio 	  CVE-2023-21700:  (Important)  DoS     Windows iSCSI 	  CVE-2023-21701:  (Important)  DoS     Windows Protected EAP (PEAP) 	  CVE-2023-21702:  (Important)  DoS     Windows iSCSI 	  CVE-2023-21722:  (Important)  DoS     .NET Framework 	  CVE-2023-21811:  (Important)  DoS     Windows iSCSI 	  CVE-2023-21813:  (Important)  DoS     Windows Cryptographic Services 	  CVE-2023-21816:  (Important)  DoS     Windows Active Directory 	  CVE-2023-21818:  (Important)  DoS     Windows SChannel 	  CVE-2023-21819:  (Important)  DoS     Windows Cryptographic Services 	  CVE-2023-21553:  (Unknown  )  RCE     Azure DevOps 	  

What to do?

Business users like to prioritise patches, rather than doing them all at once and hoping nothing breaks; we therefore put the Critical bugs at the top, along with the RCE holes, given that RCEs are typically used by crooks to get their initial foothold.

In the end, however, all bugs need to be patched, especially now that the updates are available and attackers can start “working backwards” by trying to figure out from the patches what sort of holes existed before the updates came out.

Reverse engineering Windows patches can be time-consuming, not least because Windows is a closed-source operating system, but it’s an awful lot easier to figure out how bugs work and how to exploit them if you’ve got a good idea where to start looking, and what to look for.

The sooner you get ahead (or the quicker you catch up, in the case of zero-day holes, which are bugs that the crooks found first), the less likely you’ll be the one who gets attacked.

So even if you don’t patch everything at once, we’re nevertheless going to say: Don’t delay/Get started today!


READ THE SOPHOSLABS ANALYSIS OF PATCH TUESDAY FOR MORE DETAILS


http://feeds.feedburner.com/NakedSecurity

Leave a Reply