The second Patch Tuesday update bundle from Microsoft for February 2023 arrived with major vulnerability fixes. Specifically, it addressed 75 different security vulnerabilities, including three zero-day flaws. Users must rush to update their systems to avoid any malicious exploitation.
Microsoft February Patch Tuesday Updates Released
Zero-Day Flaws Fixed
The February Patch Tuesday from Microsoft addresses three zero-day vulnerabilities affecting different products. While all the vulnerabilities received important severity status, the active exploitation of the flaws makes them serious. Notably, all three vulnerabilities escaped any public disclosure, which suggests that the flaws directly caught the attention of criminal hackers.
Specifically, these vulnerabilities include,
- CVE-2023-21823 (CVSS 7.8): a privilege escalation vulnerability in the Windows Graphics Component could allow an attacker to gain SYSTEM privileges
- CVE-2023-21715 (CVSS 7.3): a security feature bypass flaw in Microsoft Office could let an authenticated attacker target a system by tricking the victim into opening a maliciously crafted file.
- CVE-2023-23376 (CVSS 7.8): a privilege escalation in Windows Common Log File System Driver could allow SYSTEM privileges to an adversary.
Other Significant Bug Fixes
Alongside the three zero-day flaws, Microsoft has also fixed numerous other vulnerabilities across different products.
Specifically, these include nine critical-severity vulnerabilities in .NET and Visual Studio, Microsoft Protected Extensible Authentication Protocol (PEAP), Microsoft SQL ODBC Driver, Microsoft Word, and Visual Studio Code. Exploiting all these vulnerabilities could lead to remote code execution attacks. Thankfully, none of these flaws went under attack or caught attention before receiving the relevant patches.
Besides, the update bundle addresses 63 important severity vulnerabilities affecting Microsoft Defender, Azure DevOps Server, Microsoft Exchange Server, Microsoft SharePoint Server, Microsoft PostScript Printer Driver, Microsoft SQL Server, Power BI Report Server, Visual Studio, Windows Graphics Component, Windows Internet Storage Name Service (iSNS) Server, Windows MSHTML Platform, Windows Installer, and other components.
Exploiting these vulnerabilities could result in varying impacts, from remote code execution to privilege escalation, denial of service, and information disclosure.
While the February Patch Tuesday is huge, with 75 bug fixes, it did not include any patches for low-severity flaws. Given the severity of the issues, Microsoft users must update their respective systems with the latest software updates to receive all patches.
Let us know your thoughts in the comments.