Three zero-days require urgent attention for Windows, Exchange

Microsoft’s February Patch Tuesday update deals with 76 vulnerabilities that affect Windows, Exchange, Office, and Microsoft development tools — and three Windows vulnerabilities (CVE-2023-21823, CVE-2023-21715 and CVE-2023-23376) have been reported as exploited in the wild and require immediate attention.

Though it gets a lower rating from Microsoft, the Exchange issues also warrant a rapid response. Meanwhile, the Microsoft Office and development platform updates can be added to your regular release schedule.

The team at Readiness has provided this infographic that outlines the risks associated with each of the updates in this month’s update.

Microsoft includes a list of known issues that relate to the operating system and platforms in the latest updates:

If you are still using Microsoft’s Windows Server 2012 for domain authentication, you may experience the following known issue: domain join operations might be unsuccessful and error “0xaac (2732): NERR_AccountReuseBlockedByPolicy” occurs. Additionally, text saying, “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy” might be displayed. Microsoft has provided additional guidance (KB5020276) on managing this issue as part of the ESU program.

Microsoft published three major revisions this month:

Microsoft has published the following vulnerability-related mitigations for this release:

Each month, the team at Readiness analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on Windows and application installations.

Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups:

As all the high-risk changes affect the Windows printing subsystem again this month, we have not seen any published functionality changes. We strongly recommend the following printing focused testing:

All these scenarios will require significant application-level testing before a general deployment of the update. In addition, we suggest a general test of the following printing features:

Though you won’t have to conduct large file transfer testing this month, we highly recommend testing (very) long UNC paths from different machines. Our focus was on network paths accessing multiple machines across different versions of Windows. In addition to these scenarios, Microsoft updated the system kernel and core graphics components (GDI). Definitely “smoke test” your core or line-of-business apps and pay attention to graphics-intensive applications.

Given the rapid changes and frequent updates to applications (and their dependencies) in a modern application portfolio, ensure that your systems are “cleanly” uninstalling previous application versions. Leaving legacy applications or remnant components could expose your system to patched vulnerabilities.

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms. With Windows 10 21H2 now out of mainstream support, the following Microsoft applications will reach end of mainstream support or servicing in 2023:

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Microsoft released three updates to its (Chromium) Edge browser: CVE-2023-21794, CVE-2023-23374 and CVE-2023-21720 . You can find Microsoft’s version of these release notes here and the Google Desktop channel release notes here. There were no other updates to Microsoft browser (or rendering engines) this month. Add these updates to your standard patch release schedule.

Microsoft released four critical updates and 32 “important” patches to the Windows platform that cover the following key components:

While the Microsoft PEAP authentication remote code vulnerabilities (CVE-2023-21689 and CVE2023-21690) are the most worrisome, the remaining updates that solely affect Windows are not as dangerous as we’ve seen in the past. Unfortunately, three Windows vulnerabilities (CVE-2023-21823, CVE-2023-21715 and CVE-2023-23376) have been reported as exploited in the wild. As a consequence, add this update to your “Patch Now” release schedule.

Microsoft released a patch addressing a critical vulnerability (CVE-2023-21706) in Microsoft Word that could lead to remote code execution. There are five other updates for the Office platform (including SharePoint), all rated important. We have not had any reports of exploits in the wild for the critical Word issue, so we recommend that you add these Office updates to your standard-release schedule.

We are going to have to break some rules this month. Microsoft has released four patches to Microsoft Exchange Server (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529, CVE-2023-21710) all of which are rated important. Unfortunately, CVE-2023-21529 could lead to remote code execution and really could be classed as a critical vulnerability.

This vulnerability does not require user interaction, is accessible via remote systems and does not require local privileges on the local system. All supported versions of Exchange are vulnerable. We are seeing reports of Exchange crypto-mining attacks already. We are going to add CVE-2023-21529 to our “Patch Now” schedule.

Microsoft released three critical updates affecting Visual Studio and .NET (CVE-2023-21808, CVE-2023-21815 and CVE-2023-23381) that could lead to arbitrary code execution. On initial examination, it appears that these were remote accessible, significantly raising the risks, but these developer-related vulnerabilities all require local access. Coupled with five other elevation of privilege vulnerabilities also affecting Microsoft Visual Studio (all rated important) as well, we don’t see an urgent patch requirement. Add these updates to your standard developer release schedule.

No updates from Adobe for Reader or Acrobat this month. That said, Adobe has released a number of security updates for its other products with APSB23-02. I think that we have enough printing and some Microsoft XPS issues to test and deploy to keep us busy.

http://www.computerworld.com/category/security/index.rss

Leave a Reply