



Microsoft has issued fixes for three zero-day bugs that attackers are actively exploiting today.

One of them, tracked as CVE-2023-21715, is a security feature bypass vulnerability in Microsoft Office that provides attackers with a way to bypass Office macro policies that block untrusted files and content. increase. The second is the Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2023-23376), which allows attackers to gain system-level privileges. The third is CVE-2023-21823, a remote code execution (RCE) bug in the Windows Graphics Component that also allows attackers to gain system-level access.

zero day trio

The three zero-day vulnerabilities were part of a much larger set of 78 new CVEs that Microsoft revealed in Tuesday’s monthly security update. The company rated 9 of these flaws as Critical in severity and 66 as posing a Critical threat to the organization.

Nearly half (38) of the 38 vulnerabilities disclosed by Microsoft this month are remote code execution (RCE) bugs, a category of flaws security researchers consider particularly severe. Privilege escalation bugs represented the next highest category, followed by denial of service flaws and spoofing vulnerabilities.

Dustin Childs, Trend Micro’s head of threat awareness for ZDI, who reported eight vulnerabilities in this month’s update, said all of the bugs being exploited today are critical because threat actors are already using them. He said it represents a risk.

“The graphics component bug (CVE-2023-21823) worries me on two accounts,” he says. “Since it was discovered by Mandiant, it is possible that it was discovered by the team working on the incident response,” Childs said. That said, it’s unclear how long threat actors have been using it. Also of concern, he points out, is the update available through the Microsoft Store.

“People who are disconnected or blocked from the store will have to manually apply the update,” he says.

Childs says that based on Microsoft’s description of CVE-2023-21715, the Microsoft Office security feature bypass vulnerability sounds like an elevation of privilege issue. “It’s always worrying when security features are not only bypassed, but exploited. Let’s hope the fix comprehensively addresses the issue.”

Ultimately, all three bugs that attackers are actively exploiting are of concern. But a threat actor would have to use each of these bugs in combination with some form of code execution bug to take over a system, Childs said.

Automox recommends that organizations with Microsoft 365 Applications for Enterprise patch CVE-2023-2175 do so within 24 hours. “This vulnerability is an actively exploited zero-day that allows attackers to create files that bypass Office security features,” Automox said in a blog post. This allows attackers to “execute malicious code on end-her user’s device if they can coerce a user into downloading and opening a file on a vulnerable device via social engineering.”

New Exchange Server Threats

Satnam Narang, Senior Staff Research Engineer at Tenable, highlights three vulnerabilities in Microsoft Exchange Server (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) as issues organizations should be aware of. Did. more likely to be exploited.

“Over the last few years, Microsoft Exchange Servers around the world have been plagued with multiple vulnerabilities ranging from ProxyLogon to ProxyShell and more recently ProxyNotShell, OWASSRF and TabeShell,” Narang said in a statement.

In recent years, Exchange flaws have become a valuable commodity for standard sponsored attackers, he said. “We strongly recommend that organizations that rely on Microsoft Exchange Server ensure that they apply the latest cumulative updates for Exchange Server.”

Microsoft PEAP RCE bug

Meanwhile, researchers from Cisco’s Talos Threat Intelligence Group point out that three RCE bugs in Microsoft Protected Extensible Authentication Protocol (PEAP) are among the most critical bugs in Microsoft’s February 2023 security update. Did.

This flaw, tracked as CVE-2023-21689, CVE-2023-21690, and CVE-2023-21692, allows an authenticated attacker to attempt to trigger malicious code in the context of the server’s account. I can.

“Almost all Windows versions are vulnerable, including the latest Windows 11,” the company said in a statement.

According to Automox, one of three critical vulnerabilities in CVE-2023-21689 PEAP allows attackers to obtain server accounts and trigger malicious code via network calls.

“Since this vulnerability is highly targeted and relatively easy for an attacker to exploit, we recommend that you either patch it or ensure that your network policy does not configure PEAP as an allowed EAP type. We encourage you to check it out,” the company said in a post. Affected organizations that have Windows clients running Network Policy Server and have policies that allow PEAP should patch the vulnerability within 72 hours, he advised Automos. I’m here.

