It’s not uncommon for Microsoft to release a large number of security patches with its monthly “Patch Tuesday” update, but these are generally small and non-critical. This isn’t the case for the patch the company released on 14 February 2023.
Among the 77 security vulnerabilities fixed in the update are 3 actively exploited zero-day threats. These exploits let cybercriminals right into your personal space — the devices you use to Google questions you wouldn’t voice out loud, store private photos, and do your internet banking.
Instead of leaving you a loving Valentine’s note, though, cybercriminals are more likely to remotely take over your computer, steal your sensitive information, and spy on you. Along with these 3 zero-day exploits, Microsoft patched 6 other vulnerabilities it also classified as “critical.”
While your device should automatically apply the patches, it’s important to check in case your settings prohibit any important updates from installing without your consent.
Microsoft Quickly Patches 3 Critical Zero-Day Vulnerabilities
Microsoft listed its 77 patches in the following categories:
- 38 Remote code execution vulnerabilities
- 12 Elevation of privilege vulnerabilities
- 10 Denial of service vulnerabilities
- 8 Spoofing vulnerabilities
- 8 Information disclosure vulnerabilities
- 2 Security feature bypass vulnerabilities
The three zero-day exploits, which are arguably the most concerning threats among these, fall into 3 different categories. According to Microsoft, cybercriminals are currently actively exploiting these vulnerabilities, making them major threats to anyone whose system hasn’t been updated yet. Especially since they apparently don’t require a lot of complicated work or high levels of access to pull off.
Microsoft hasn’t released any detailed information about these vulnerabilities yet, presumably to give Windows users enough time to install the security update. This means, while we have an idea of what the vulnerabilities entail, we don’t know any specifics about how they’re being exploited.
Elevation of Privilege Zero-Day (CVE-2023-23376)
This threat impacts Windows 10 and 11 as well as most Windows server versions from 2008 up. If a threat actor succeeds in exploiting this elevation of privilege (EOP) vulnerability, they’ll be able to boost normal user access privileges up to the system level. According to Microsoft, this is caused by a vulnerability within the Windows Common Log File System (CLFS) driver. This is also the third actively exploited zero-day flaw in the CLFS component found in the last year.
A Microsoft representative said the vulnerability is “relatively simple to exploit and utilizes local [attack] vectors.” It also requires low levels of access with zero user interaction, meaning your Windows device can be targeted without you doing anything or even noticing.
A local attack vector means the attacker has to be on the same network as you. This includes public Wi-Fi, work Wi-Fi, and even your home network if cybercriminals get access to it. Cybercriminals have also made exploit code for this attack publicly available online, making it an urgent problem.
If you use Windows, install the CyberGhost VPN app to secure your network connection with the strongest encryption protocol in existence today. This is especially important if you use public Wi-Fi, and our 256-bit AES encryption will protect you against other cyber attacks too.
Remote Code Execution Zero-Day (CVE-2023-21823)
Like the EOP vulnerability, this exploit also targets Windows 10 and 11 users, and most Windows server versions from 2008 and up. This remote code execution vulnerability lets a threat actor get access to your computer without being logged in as if they were a regular authenticated user. According to Mircosoft, attackers can use this exploit to gain system privileges, giving them full access to your device with you none the wiser.
Microsoft hasn’t gone into much detail about this exploit but has mentioned the vulnerability has to do with Windows Graphics Component. It’s also apparently fairly easy to exploit and, like the EOP vulnerability, utilizes local vectors and requires low levels of access. All of these elements make it easy to get into Windows devices connected to a local network like the free Wi-Fi at the local coffee shop.
While this is concerning, to make matters worse, Microsoft says it’s possible this security patch won’t download automatically for some people. Unlike the other patches, this one isn’t updated via Windows Update but rather via the Microsoft Store. This means, if you have automatic updates disabled on the Microsoft Store, the patch won’t install without you doing it manually.
If that’s not bad enough, Android users are also at risk with this vulnerability as it also affects the Android Microsoft OneNote app. For the exploit to work, you need to download compromised OneNote files. Attackers will usually send these as an email attachment, but may also use other methods to get you to download them. It’s vital you update your app as soon as possible and apply extra caution when downloading any OneNote files.
Microsoft Publisher Security Feature Bypass Zero-Day (CVE-2023-21715)
This attack requires that the attacker has authentication privileges on your Windows device. This means the attack will more likely be carried out via your local network connection but can be used by malicious parties over the web if they find another way to gain system privileges on your device. They’ll either convince you to download and open a malware file or do it themselves if they have access to your computer.
Once the cybercriminals are in, CVE-2023-21715 lets them exploit a vulnerability in Microsoft Publisher to abuse Microsoft Office macro policies. Normally, these policies would block untrusted files from gaining system privileges but the exploit bypasses this obstacle. Based on Microsoft’s documentation, this only seems to affect Microsoft Publisher and not other Office applications like Microsoft Word.
Given this attack requires authentication privileges, it’s somewhat less concerning than the other two zero-day exploits mentioned above. Yet anyone working with Microsoft Publisher in an office environment or via public Wi-Fi is still at risk.
Stay Updated, Prevent Avoidable Damage
Considering the severity of the threats this update prevents, it’s a major one and requires you to check your Windows-run devices and servers are up to date.
According to Richard Hollis, CEO of Risk Crew, “The critical patches addressing remote code execution alone are essential given the dramatic increase in work-from-home users, but the three addressing the zero-day CVEs are mission-critical in today’s threat landscape. Don’t leave work without getting these sorted.” This includes checking your Microsoft Store updates to see whether it has downloaded the patch for CVE-2023-21823, as this is an essential one.
This is also as good of a time as any to reevaluate your digital security and check whether your protections are still in place and still adequate. Start with going through a checklist to see if your cyber hygiene is good and then assess whether you can add additional security provisions like a VPN to reinforce the protection on your devices. Use CyberGhost VPN to add unbreakable 256-bit AES encryption to your connection and keep it secure at all times.