Microsoft and Adobe have released several monthly security fixes and updates for their products. Let’s take a look at the highlights of this month’s Patch Tuesday as we review and discuss the security updates.

Microsoft Patches for February 2023

Microsoft has patched 79 vulnerabilities this month, including 3 Microsoft Edge related vulnerabilities that were fixed earlier this month. Overall, the updates include fixes for vulnerabilities in Windows OS and its components, such as Microsoft Protected Extensible Authentication Protocol (PEAP) and Windows iSCSI Discovery Service; Microsoft Office and Office Components; Microsoft Dynamics; Microsoft Exchange Server; Microsoft SQL Server; .NET core; .NET framework; 3D Builder and Print 3D. Azure family products such as Azure DevOps, Azure Machine Learning, Azure App Service on Azure Stack Hub, Azure Data Box Gateway, and Azure Stack Edge have also received security fixes this month.

Out of the 79 vulnerabilities fixed this month, 9 are rated as critical, and 67 are rated as important. Additionally, Microsoft has confirmed that 3 vulnerabilities are known to be exploited in the wild. Also noteworthy is that even though Microsoft had mentioned last month that it would no longer provide Extended Support for Windows 7, Windows 2008 SP 2, and Windows 2008 R2, Microsoft has still released a fix to address a vulnerability in Windows 2008 SP 2 and Windows 2008 R2.

Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.

The February 2023 Microsoft vulnerabilities are classified as follows:  

Adobe Patches for February 2023

Adobe has released a total of 9 advisories for the month of February. The advisories cover a total of 34 vulnerabilities, out of which 19 are rated critical that affect Adobe After Effects (3), Adobe FrameMaker (3), Adobe Bridge (5), Adobe Photoshop (3), Adobe Premier Rush (2), and Adobe Animate (3). All the vulnerabilities rated critical allow Arbitrary Code Execution. The advisories have a priority rating of 3 from Adobe, meaning none of the vulnerabilities addressed are known to be currently exploited, and Abode anticipates that they won’t be exploited in the future.

Notable and Critical Microsoft Vulnerabilities Patched 

CVE-2023-21692, CVE-2023-21690, CVE-2023-21689 – Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability

Microsoft PEAP is a secure implementation of Extensible Authentication Protocol (EAP) that provides encryption and authenticated Transport Layer Security (TLS) tunnel. CVE-2023-21692 and CVE-2023-21690 can be exploited by sending specially crafted malicious packets, whereas CVE-2023-21689 can be used to target server accounts through network calls to execute code remotely. All 3 vulnerabilities do not require special privileges or user interaction.

CVE-2023-21803 – Windows iSCSI Discovery Service Remote Code Execution Vulnerability

Windows iSCSI Discovery Service is a Windows Service that allows non-SMB Clients to access storage on a Windows host. The vulnerability affects only 32 bits versions of Windows. The vulnerability can be exploited by sending a maliciously crafted DHCP discovery request to a Windows Host running iSCSI Discovery Service. On successful exploitation, it will allow an attacker to execute code remotely. The vulnerability can only be exploited if the iSCSI Initiator client application is running. iSCSI Initiator client application is not enabled by default.

CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability

CVE-2023-21716 affects both Microsoft SharePoint and Microsoft Office Applications. The vulnerability can be used in a Preview Pane attack. An attacker can send a malicious RTF payload (e.g., via email) that allows the attacker to execute commands without minimal or no user interaction. Microsoft has also provided a workaround for this vulnerability. Administrators need to enforce a Microsoft Office File Block policy to prevent opening RTF documents from unknown or untrusted sources. More details about the policy can be found at MS08-026: How to prevent Word from loading RTF files. If attackers can develop exploits for this vulnerability, it may become a popular choice for them in future Phishing campaigns.  

CVE-2023-21718 – Microsoft SQL ODBC Driver Remote Code Execution Vulnerability

The vulnerability affects the Microsoft Open Database Connectivity (ODBC) interface, which allows applications to access data from various types of database management systems (DBMSs). The vulnerability can be exploited by an attacker tricking an unauthenticated user into connecting to an attacker controlled rogue SQL Database. The attacker can then return malicious data to a client (user) and cause arbitrary code execution on it.  

CVE-2023-21808, CVE-2023-21815, CVE-2023-23381 – .NET / Visual Studio Remote Code Execution Vulnerability

Microsoft has not detailed much information about these vulnerabilities. However, based on the limited information available, CVE-2023-21808, CVE-2023-21815, and CVE-2023-23381 seem similar in nature and require an attacker to trick the victim to trigger this vulnerability to execute code in the context of the application.

Other Microsoft Vulnerability Highlights 

Microsoft has patched a total 3 zero-day vulnerabilities that are confirmed to be exploited:

• CVE-2023-21823 is a vulnerability that affects Windows Graphic component used in various products such as Windows OS, Office desktop, and Mobile Apps. The vulnerability helps the attacker gain and execute code with SYSTEM privileges.
• CVE-2023-21715, a Security Features Bypass Vulnerability in Microsoft Publisher that lets attackers bypass Office macro policies used to block untrusted or malicious files. Microsoft has additionally mentioned that the vulnerability can be triggered using social engineering attacks to trick the victim into downloading a specially crafted file from a website.
• CVE-2023-23376, an Elevation of Privilege vulnerability, is the Windows Common Log File System Driver that allows attackers to gain SYSTEM privileges. No other information has been made public by Microsoft.

Microsoft has also disclosed a vulnerability that affects the end-of-life application Print 3D. Microsoft has affirmed that it will not release a patch to fix the vulnerability and that customers should update to the 3D Builder app.

Microsoft Dynamic has got fixes for 6 Cross-site Scripting Vulnerabilities. Microsoft has fixed 4 remote code execution bugs in Exchange Server. Azure DevOps has received patches for a Cross-site Scripting and Remote Code Execution vulnerability. Lastly, a spoofing vulnerability in Power BI Report Server has been addressed.

This month, nearly half of the CVEs disclosed by Microsoft are Remote Code Execution Vulnerabilities. We continue to see double-digit numbers in terms of fixes in the Elevation of Privilege and Denial of Server vulnerabilities.

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions that are affected, including, but not limited to, .NET and Visual Studio, .NET Framework, 3D Builder, Azure App Service, Azure Data Box Gateway, Azure DevOps, Azure Machine Learning, HoloLens, Internet Storage Name Service, Microsoft Defender for Endpoint, Microsoft Defender for IoT, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office, Microsoft Office OneNote, Microsoft Office Publisher, Microsoft Office SharePoint, Microsoft Office Word, Microsoft PostScript Printer Driver, Microsoft WDAC OLE DB provider for SQL, Microsoft Windows Codecs Library, Power BI, SQL Server, Visual Studio, Windows Active Directory, Windows ALPC, Windows Common Log File System Driver, Windows Cryptographic Services, Windows Distributed File System (DFS), Windows Fax and Scan Service, Windows HTTP.sys, Windows Installer, Windows iSCSI, Windows Kerberos, Windows MSHTML Platform, Windows ODBC Driver, Windows Protected EAP (PEAP), Windows SChannel, Windows Win32K.

Downloads include Cumulative Updates, Monthly Rollups, Security Only, and Security Updates. 

EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)

Qualys Policy Compliance Control Library makes it easy to evaluate your technology infrastructure when the current situation requires implementation validation of a vendor-suggested mitigation or workaround.

Qualys Policy Control Controls for this Patch Tuesday will be added shortly under this section after they are released.

Qualys Monthly Webinar Series 

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities. 

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. 

Join the webinar

This Month in Vulnerabilities & Patches