Microsoft unveils fixes for more critical security flaws, so patch now
>
Microsoft released this month’s security update Patch Tuesday, which fixes a total of 77 bugs, including three zero-day vulnerabilities.
A zero-day is a very serious vulnerability that a threat actor can use to conduct destructive cyber-attacks that has still not been patched. Since this month’s patch fixes three such bugs, Microsoft encourages users to apply the fix as soon as possible.
The three zero-days that have been fixed are CVE-2023-21823 (Remote Code Execution of Windows Graphical Components), CVE-2023-21715 (Bypassing Microsoft Publisher Security Features), and CVE-2023-23376 (Privilege Vulnerability Elevation ). These three enabled threat actors to remotely execute code, bypass Office macro policies, or gain system privileges.
Updates through Microsoft Store
Microsoft also said it will push this update to users through the Microsoft Store, not Windows Update. This means that the customers with disabled automatic updates in the Microsoft Store will not get the patch automatically and will have to activate it themselves.
The company did not provide details about who or where used these vulnerabilities to initiate attacks, but it did say that exploiting 21715 could enable a malicious attack. (opens in new tab) Publisher document to run without warning the user.
The attack itself is executed locally by a user with authentication to the targeted system. “An authenticated attacker could exploit the vulnerability by using social engineering to convince a victim to download and open a specially crafted file from a website, which could lead to a local attack on the victim’s computer.”
The February 2023 Patch Tuesday cumulative update addresses a total of nine vulnerabilities classified as “critical”, which could allow remote code execution.
In total, Microsoft has addressed 12 elevation of privilege vulnerabilities, two security feature bypasses, 38 remote code execution flaws, 8 information disclosure vulnerabilities, 10 denial of service vulnerabilities, and 8 spoofing flaws. Earlier this month, Microsoft released fixes for three additional vulnerabilities in the Edge browser, which are not part of this update.
Through: Beeping computer (opens in new tab)