Three zero-days require urgent attention for Windows, Exchange

27 February 2023

 

This month's Patch Tuesday update addresses 76 vulnerabilities affecting Windows, Exchange, Office, and Microsoft development tools — including three zero-day flaws already in the wild.

Microsoft's February Patch Tuesday update deals with 76 vulnerabilities that affect Windows, Exchange, Office, and Microsoft development tools — and three Windows vulnerabilities (CVE-2023-21823, CVE-2023-21715and CVE-2023-23376) have been reported as exploited in the wild and require immediate attention.

Though it gets a lower rating from Microsoft, the Exchange issues also warrant a rapid response. Meanwhile, the Microsoft Office and development platform updates can be added to your regular release schedule.

Known issues

Microsoft includes a list of known issues that relate to the operating system and platforms in the latest updates:

  • XPS documents that utilize structural or semantic elements like table structure, storyboards, or hyperlinks may not display correctly in WPF-based readers. To address this issue, Microsoft provided a PowerShell script where you can run the command: .\kb5022083-compat.ps1 -Install. This command adds the following registry key: "HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /v "DisableDec2022Patch" /t REG_SZ /d "*" /reg:64
  • Copying large multiple-gigabyte files might take longer than expected to finish in Windows 11 version 22H2. You are more likely to experience this issue copying files from a network share via Server Message Block (SMB), but local file copy might also be affected.

If you are still using Microsoft's Windows Server 2012 for domain authentication, you may experience the following known issue: domain join operations might be unsuccessful and error "0xaac (2732): NERR_AccountReuseBlockedByPolicy" occurs. Additionally, text saying, "An account with the same name exists in Active Directory. Re-using the account was blocked by security policy" might be displayed. Microsoft has provided additional guidance (KB5020276) on managing this issue as part of the ESU program.

Major revisions

Microsoft published three major revisions this month:

  • CVE-2023-21705 and CVE-2023-21713: Microsoft SQL Server Remote Code Execution Vulnerability. These revisions extend support for legacy (ESU) SQL products. No further action required.
  • CVE-2023-21721: Microsoft OneNote Elevation of Privilege Vulnerability. This is a minor informational change — no action necessary.

Mitigations and workarounds

Microsoft has published the following vulnerability-related mitigations for this release:

  • CVE-2023-21804: Windows Graphics Component Elevation of Privilege Vulnerability. Only Windows computers that have the XPS document writer feature installed are vulnerable. In Windows 10, the XPS Document Writer is installed by default; in Windows 11, it is not.
  • CVE-2023-21803: Windows iSCSI Discovery Service Remote Code Execution Vulnerability. By default, the iSCSI Initiator client application is disabled and cannot be exploited. For a system to be vulnerable, the iSCSI Initiator client application would need to be enabled.
  • CVE-2023-21713, CVE2023-21705: Microsoft SQL Server Remote Code Execution Vulnerability. This is only exploitable if this optional feature is enabled and running on a SQL instance. (The feature is not available in Azure SQL instances.)
  • CVE-2023-21692, CVE-2023-21690 and CVE-2023-21689: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution. PEAP is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP vulnerability. Learn more about configuring Microsoft PEAP here.

Testing guidance 

Each month, the team at Readiness analyses the latest Patch Tuesday updates and provides detailed, actionable testing guidance. This is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on Windows and application installations.

Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups:

High Risk

As all the high-risk changes affect the Windows printing subsystem again this month, we have not seen any published functionality changes. We strongly recommend the following printing focused testing:

  • The Microsoft "MS Publisher Imagesetter" has been updated significantly. These are built-in drivers that are now over a decade old. There have been reports of bad printing quality from using these drivers, so an update was definitely needed.
  • Test printing using V3 printer drivers with both color and black/white. Check for missing content.
  • There's been an update to how Windows handles URLs, especially when printing. A quick run-through of opening web pages that reference Microsoft Word, PowerPoint, and Excel and then exercising a simple print job should highlight any issues.

All these scenarios will require significant application-level testing before a general deployment of the update. In addition, we suggest a general test of the following printing features:

  • 32-bit applications that require printing on 64-bit devices require testing. Pay attention to application exit as this may generate memory related errors.
  • Test your backup systems and ensure that your error and related system logs appear correct.
  • Test your VPN connections if you are using the PEAP protocol. This protocol changes frequently, we recommend that you subscribe to the Microsoft RSS feed for future changes.
  • Test your ODBC connections, database, and SQL commands.

Though you won't have to conduct large file transfer testing this month, we highly recommend testing (very) long UNC paths from different machines. Our focus was on network paths accessing multiple machines across different versions of Windows. In addition to these scenarios, Microsoft updated the system kernel and core graphics components (GDI). Definitely "smoke test" your core or line-of-business apps and pay attention to graphics-intensive applications.

Given the rapid changes and frequent updates to applications (and their dependencies) in a modern application portfolio, ensure that your systems are "cleanly" uninstalling previous application versions. Leaving legacy applications or remnant components could expose your system to patched vulnerabilities.

Windows lifecycle update

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms. With Windows 10 21H2 now out of mainstream support, the following Microsoft applications will reach end of mainstream support or servicing in 2023:

  • Visio Services in SharePoint (in Microsoft 365) — Feb. 10, 2023 (retired);
  • Microsoft Endpoint Configuration Manager, Version 2107 — Feb 2, 2023 (end of service).

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge).
  • Microsoft Windows (both desktop and server).
  • Microsoft Office.
  • Microsoft Exchange Server.
  • Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core).
  • Adobe (retired???, maybe next year).

Browsers

Microsoft released three updates to its (Chromium) Edge browser: CVE-2023-21794, CVE-2023-23374 and CVE-2023-21720 . You can find Microsoft's version of these release notes here and the Google Desktop channel release notes here. There were no other updates to Microsoft browser (or rendering engines) this month. Add these updates to your standard patch release schedule.

Windows

Microsoft released four critical updates and 32 "important" patches \ to the Windows platform that cover the following key components:

  • Microsoft PostScript Printer Driver (with updates to FAX and SCAN);
  • Windows ODBC, OLE, WDAC Driver;
  • Windows Common Log File System Driver;
  • and Windows Cryptographic Services and Kerberos.

While the Microsoft PEAP authentication remote code vulnerabilities (CVE-2023-21689 and CVE2023-21690) are the most worrisome, the remaining updates that solely affect Windows are not as dangerous as we've seen in the past. Unfortunately, three Windows vulnerabilities (CVE-2023-21823, CVE-2023-21715 and CVE-2023-23376) have been reported as exploited in the wild. As a consequence, add this update to your "Patch Now" release schedule.

Microsoft Office

Microsoft released a patch addressing a critical vulnerability (CVE-2023-21706) in Microsoft Word that could lead to remote code execution. There are five other updates for the Office platform (including SharePoint), all rated important. We have not had any reports of exploits in the wild for the critical Word issue, so we recommend that you add these Office updates to your standard-release schedule.

Microsoft Exchange Server

We are going to have to break some rules this month. Microsoft has released four patches to Microsoft Exchange Server (CVE-2023-21706,CVE-2023-21707, CVE-2023-21529, CVE-2023-21710) all of which are rated important. Unfortunately, CVE-2023-21529 could lead to remote code execution and really could be classed as a critical vulnerability.

This vulnerability does not require user interaction, is accessible via remote systems and does not require local privileges on the local system. All supported versions of Exchange are vulnerable. We are seeing reports of Exchange crypto-mining attacks already. We are going to add CVE-2023-21529 to our "Patch Now" schedule.

Microsoft development platforms

Microsoft released three critical updates affecting Visual Studio and .NET (CVE-2023-21808, CVE-2023-21815 and CVE-2023-23381) that could lead to arbitrary code execution. On initial examination, it appears that these were remote accessible, significantly raising the risks, but these developer-related vulnerabilities all require local access. Coupled with five other elevation of privilege vulnerabilities also affecting Microsoft Visual Studio (all rated important) as well, we don't see an urgent patch requirement. Add these updates to your standard developer release schedule.

Adobe Reader (still here, but just not this month)

No updates from Adobe for Reader or Acrobat this month. That said, Adobe has released a number of security updates for its other products with APSB23-02. I think that we have enough printing and some Microsoft XPS issues to test and deploy to keep us busy.

 

Related News

A review of zero-day in-the-wild exploits in 2023

28 Mar 2024

In 2023, Google observed 97 zero-day vulnerabilities exploited in-the-wild. That’s over 50 percent more than in 2022, but still shy of 2021’s record of 106. Today, Google published its fifth annual review of zero-days exploited in-the-wild.

Read More

Vulnerability In 16.5K+ VMware ESXi Instances Let Attackers Execute Code

25 Mar 2024

VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.The company has released updates to address these issues in the affected software. While each vulnerability is rated as ‘Important,’ their combined potential impact escalates to ‘Critical’ severity. Shadowserver has tweeted a warning about vulnerabilities in VMware ESXi instances. These vulnerabilities can enable a malicious actor with local admin privileges to bypass sandbox protections. Shadowserver is conducting scans and sharing its findings to help mitigate the risks associated with these vulnerabilities.

Read More

NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

20 Mar 2024

The National Institute of Standards and Technology has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here's where to start putting the changes into action.

Read More