Microsoft released security updates on Tuesday to address 75 flaws across its product portfolio.
This update is in addition to the 22 flaws Windows makers have patched in Chromium-based Edge browsers over the past month.
Of the 75 vulnerabilities, 9 are rated critical and 66 are rated important. 37 of the 75 bugs are classified as Remote Code Execution (RCE) flaws. The three exploited zero-days are:
- CVE-2023-21715 (CVSS Score: 7.3) – Microsoft Office Security Feature Bypass Vulnerability
- CVE-2023-21823 (CVSS Score: 7.8) – Windows Graphics Component Elevation of Privilege Vulnerability
- CVE-2023-23376 (CVSS Score: 7.8) – Elevation of Privilege Vulnerability in Windows Common Log File System (CLFS) Driver
Microsoft states in its advisory for CVE-2023-21715 that “the attack itself is performed locally by a user with authentication to the target system.”
“An authenticated attacker could use social engineering to persuade a victim to download and open a specially crafted file from a website to cause a local attack on the victim’s computer. This vulnerability can be exploited.”
Successful exploitation of the above vulnerabilities could allow an adversary to bypass Office macro policies used to block untrusted or malicious files or gain SYSTEM privileges. I have.
CVE-2023-23376 was actively exploited in CLFS components following CVE-2022-24521 and CVE-2022-37969 (CVSS score: 7.8) that Microsoft addressed in April and September 20223 It is also the third zero-day vulnerability.
Nikolas Cemerikic of Immersive Labs said:
“This is an integral component of the Windows operating system and any vulnerabilities in this driver could severely impact the security and reliability of your system.”
Microsoft OneNote for Android is vulnerable to CVE-2023-21823, and note-taking services are increasingly emerging as malware distribution vectors, so it’s important that users apply the fix.
Microsoft has also addressed multiple RCE flaws in Exchange Server, ODBC drivers, PostScript printer drivers, SQL Server, and Denial of Service (DoS) issues affecting Windows iSCSI service and Windows Secure Channel.
Three of the Exchange Server vulnerabilities are classified by the company as “highly exploitable”, but successful exploitation requires an attacker to be already authenticated.
Exchange servers have proven to be high-value targets in recent years, as they can allow unauthorized access to sensitive information and facilitate Business Email Compromise (BEC) attacks.
Software patches from other vendors
Besides Microsoft, other vendors have released security updates over the past few weeks to fix several vulnerabilities.
