Major New Windows Security Update: 7 Critical & 3 Zero-Day Threats Confirmed
Microsoft has just released a major new security update in the form of the perfect Valentine’s Day present for Windows users. Patch Tuesday fell on February 14, and we all know how much cyber criminals love Windows vulnerabilities. This new security update applies fixes for a total of 76 such security holes, including seven rated critical and three zero-day vulnerabilities that Microsoft says have already been exploited in the wild. The full list can be found in the latest Microsoft Security Update Guide.
Windows users get a nasty surprise
Patch Tuesday often contains a nasty surprise or two, but this month there are three.
Unfortunately, these come in the form of vulnerabilities already known to be exploited in the wild. Of these zero-days, two directly impact users of Windows 10 and Windows 11, as well as most versions of Windows Server from 2008 on. The third impacts users of Microsoft Publisher, with a successful attack that could lead to the takeover of the computer. Although, as is customary under these circumstances, there has been little technical detail published by Microsoft concerning these zero-day threats (more will come once all users have had the opportunity to apply the updates), here’s what we do know.
CVE-2023-21823: A Windows remote code execution zero-day
CVE-2023-21823 is likely the most critical of the three zero-days. Not only does it impact users of Windows 10 and 11, as well as most versions of Windows Server from 2008 up, but it is also a remote code execution (RCE) vulnerability. This means that an attacker could run code on your machine without being logged on, in the same way as if they were an authenticated user. Microsoft says a successful exploit means an attacker “could gain SYSTEM privileges.” Beyond this, all we know right now is that the vulnerability is in the Windows Graphic Component.
“This vulnerability is relatively simple to exploit, utilizes local vectors, and requires low levels of access,” Mike Walters, vice president of vulnerability and threat research at Action1, said, “with no need for user interaction.”
The really critical takeaway here is that this is one of those patches that isn’t implemented via Windows Update but rather via the Microsoft Store. So, if you have disabled Microsoft Store automatic updates, it won’t get installed. “It is crucial to install the necessary updates as soon as possible,” Walters confirmed.
CVE-2023-23376: A Windows elevation of privilege zero-day
CVE-2023-23376 impacts much the same userbase as CVE-2023-21823, but rather than being an RCE it is an elevation of privilege (EOP) vulnerability. If successfully exploited, this kind of vulnerability usually allows an attacker with normal user access privileges to boost these up to the system level. A vulnerability within the Windows Common Log File system driver, CVE-2023-23376, can do just that, according to the Microsoft Security Response Center update guide notification.
“This vulnerability is relatively simple to exploit and utilizes local vectors,” Walters said, “requiring only low levels of access and no user interaction.”
CVE-2023-21715: A Microsoft Publisher security feature bypass zero-day
CVE-2023-21715 is one for users of Microsoft Publisher to worry about. It enables an attacker to get around security features, specifically the blocking of potentially malicious Office macros. If successful, the attacker could have those macros running in a document without any warning flagged to the user.
It’s a major security update
“While this month’s Patch Tuesday update is smaller than the fixes released in January, Mark Lamb, CEO of HighGround.io, said, “the fact that three actively exploited Zero Days are being addressed, and that 12 of the bugs relate to the elevation of privileges, this means it’s still a pretty major update.” Lamb advises organizations that are able to enable Auto Patch to do so as soon as possible. Auto Patch will Lamb said, “alleviate a massive burden off over-stretched IT teams and will help keep systems secure and up to date.”
Meanwhile, Richard Hollis, CEO of Risk Crew, called the new security update crucial and overdue. “The critical patches addressing remote code execution alone are essential given the dramatic increase in work-from-home users,” Hollis warned, “but the three addressing the zero-day CVEs are mission-critical in today’s threat landscape. Don’t leave work without getting these sorted.”
All users should keep an eye out for the Windows update and apply it as soon as possible to be protected from the applicable zero-days and other critical and important-rated vulnerabilities.