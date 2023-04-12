



While some older patches resurfaced on April’s Patch Tuesday, the Windows flaws that were actively being attacked before Microsoft released its monthly security updates took the top spot.

In total, Microsoft addressed 97 unique new CVEs and provided updates for 5 older vulnerabilities for a total of 102 vulnerabilities this month. Seven of the new CVEs were rated as critical.

Microsoft squashes a real Windows bug exploited

Windows zero-days impacting Windows desktop and server systems, including Windows Server 2008/2008 R2, require immediate attention by administrators. CVE-2023-28252 is an elevation of privilege vulnerability in the Windows Common Log File System Driver rated Important.

An attacker does not require any user interaction to exploit this bug, just authenticate to the network. An attacker who successfully exploited this vulnerability could gain system-level privileges on a machine and gain wide-ranging access throughout an affected organization’s infrastructure.

10-Year-Old Vulnerability Reappears

The 2013 bug resurfaced in January and this month’s Microsoft security update releases. If the administrator decides to implement a fix, it will have to be manually reconciled.

The WinVerifyTrust Signature Validation (CVE-2013-3900) vulnerability is rated Important for supported Windows desktop and server systems. Microsoft first disclosed this vulnerability on December 10, 2013.

In January, Microsoft notified customers of the steps required to mitigate this vulnerability on supported Windows systems and issued an April Patch Tuesday update to add several affected products to the list. Added some Server Core installations.

A fix applied by an administrator via a Windows registry setting enables stricter Authenticode signature verification for greater scrutiny of the application’s digital signature.

Chris Goettl, Ivanti’s vice president of security product management, said Microsoft made the fix optional.

Chris Gettle

“There may be some edge cases that could be exploited in some environments, but the risk is low. Otherwise Microsoft would have treated it more forcefully some time ago. .

Another patch from the past comes true

Microsoft has issued April Monthly Patch Security Updates to fix the curl remote code execution flaw rated Important (CVE-2022-43552) first reported on February 9th. A bug in an open source tool affects several Microsoft products, including Windows Server and Desktop. System, and version 2.0 of CBL-Mariner, a Linux OS used by Microsoft cloud and edge products.

In March’s Patch Month, Microsoft reported that a fix was in development and indicated that more affected products were found that use the data transfer tool. Curl version 7.87.0 fixes the vulnerability. After patching a Windows system, administrators must undo the mitigation that blocked curl execution in order to resume using the tool.

Windows Domain Controller Fix Delayed

Administrators who were preparing for the April patch update related to the Windows Kerberos Elevation of Privilege Vulnerability now have more time to prepare for the domain controller change.

Microsoft originally planned to implement Phase 3 of the multi-phase rollout of the Kerberos protocol changes on April 11th. Doesn’t explain the reason for the delay.

The Kerberos changes are due to the CVE-2022-37967 vulnerability, which was first disclosed on November 8th, 2022.

Phase 3 of this hardening procedure does not disable the signature of the Privilege Attribute Certificate.

By October 10th, administrators should implement what Microsoft calls the “Full Enforcement Phase” to fully mitigate the issue by blocking vulnerable connections from non-compliant devices.

Other Notable Security Updates in April’s Patch Monthly

Most of this month’s patches fall under the Windows Cumulative Updates umbrella and don’t require much effort to deploy, but administrators should be aware that the Raw Image Extension Remote Code Execution in Windows 10 rated Critical You should pay close attention to the vulnerability (CVE-2023-28291). and 11 systems.

This app is installed from the Microsoft Store. When the admin sets the desktop system to automatically update her Microsoft Store apps, the problem goes away on its own. However, in disconnected environments or if the Microsoft Store auto-update setting is not enabled, administrators must perform additional steps to deploy patches.

On an unpatched system, an attacker could log into the system and run a specially crafted application to take over the machine, or open a specially crafted application via email or instant message. It is possible to exploit this vulnerability after luring the user.

Administrators should also address four bugs related to SQL Server.

CVE-2023-23375: The Microsoft Open Database Connectivity (ODBC) and Object Linking and Embedding Database (OLE DB) Remote Code Execution Vulnerability affects the Microsoft ODBC Driver for SQL Server. CVE-2023-28304: The Microsoft ODBC and OLE DB Remote Code Execution Vulnerability affects the Microsoft ODBC Driver for SQL Server. CVE-2023-23384: The Microsoft SQL Server Remote Code Execution Vulnerability affects supported Microsoft SQL Server systems. CVE-2023-28275: A remote code execution vulnerability in the Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server affects Windows desktop and server systems.End of the Road for Multiple Microsoft Products

Several Microsoft products designated 2013 reached end of support on April 11th. Most notably Exchange Server 2013. Microsoft no longer supports this software, including technical help, software fixes, or security updates.

Organizations still using Exchange 2013 can upgrade to supported Exchange 2016 or Exchange 2019. The latter is Microsoft’s recommendation for organizations that want (or need) to maintain an on-premises mail server platform.

Other discontinued products include Office 2013 apps, SharePoint Server 2013, SharePoint Foundation 2013, Lync Server 2013, and Project Server 2013.

Most Microsoft products continue to function after end of support, but businesses are at risk of attack without protection from monthly security updates.

In March, the Exchange team blogged about taking steps to prevent email from unsupported, unpatched Exchange Servers to email services hosted on Exchange Online. We exposed one drawback to this practice when we showed that

“While we don’t want to delay or block legitimate emails, having safeguards and standards in place for emails entering our cloud services will prevent malicious emails from entering Exchange Online. You want to reduce the risk, and you want to bring it to the customer’s attention that they are using unsupported or unpatched Exchange servers and encourage them to protect their on-premises environment. ,” the Exchange team wrote on their blog.

Microsoft uses a transport-based enforcement system to report these non-compliant Exchange Server systems to administrators. This will throttle the email and eventually block the message from the on-premises system. Microsoft started this practice with its legacy Exchange Server 2007 system and plans to ban email from its Exchange 2010 and Exchange 2013 systems going forward. If Microsoft detects emails from supported but unpatched Exchange 2016 or Exchange 2019 systems, those messages fall under the same enforcement policies.

“Exchange was great years ago, but it is an outdated and very complex beast. There are very sophisticated attackers who know Exchange inside and out. They know how to find the next vulnerability. Anyone who chooses to stay with Exchange Server should reassess their risk-reward model.”

