Microsoft has issued fixes for three actively exploited zero-day vulnerabilities in its latest Patch Tuesday update, equalling the number fixed in January and December combined.
Patches have been issued for a total of 77 flaws in the latest batch of updates, nine of which were classified as ‘critical’ due to their potential to allow remote code execution.
Described as an “unusually significant” round by security experts, the raft of updates includes fixes for bugs affecting Microsoft Windows, .NET Framework, Microsoft Office, SQL Server, Exchange Server, HoloLens, and several Azure services.
“This is an unusually significant round, yet this release is crucial and overdue,” said Richard Hollis, CEO at Risk Crew.
“The ‘critical’ patches addressing remote code execution alone are essential given the dramatic increase in work-from-home users. But the three addressing the zero-day CVEs are mission-critical in today’s threat landscape,” he added.
SQL Server updates
A total of six CVEs affecting the Microsoft SQL server were resolved in the latest round of updates. This marked the largest number of fixes for the SQL server in several years, security experts noted.
One of these, CVE-2023-21718, was rated critical. Microsoft said an attacker could exploit this vulnerability by “tricking an unauthenticated user into attempting to connect to a malicious SQL server databased via ODBC”.
“This could result in the database returning malicious data that might cause arbitrary code execution on the client,” the advisory warned.
Actively exploited vulnerabilities
Microsoft said it resolved a remote code execution vulnerability found in Windows Graphics Component. Tracked as CVE-2023-21823, this flaw has been actively exploited in the wild and affects Windows 10, Windows Server 2008, and later Windows editions.
The tech giant warned this vulnerability also affects Microsoft Office for iOS, Android, and 'Universal'.
If exploited, this vulnerability could allow an attacker to gain system privileges and execute commands, Microsoft said.
Security experts noted that the update for this vulnerability will be circulated via the Microsoft Store instead of via the usual process in Windows Update catalogue.
As such, customers with automatic updates disabled on the Microsoft Store will have to act fast to patch.
The Windows Common Log File System Driver was also found to contain an actively exploited vulnerability, Microsoft confirmed in its advisory.
This escalation of privilege flaw was rated as ‘important’ and affects Windows 10, Server 2008, and later Windows editions. The flaw also enabled attackers to gain system privileges.
RELATED RESOURCE
The Forrester Wave™: Third party risk management platforms
The 12 providers that matter the most and how they stack up
Chris Goettl, VP of security products at Ivanti, said an escalation of privilege vulnerability such as this could be “used in combination with other vulnerabilities in an attack chain” and advised businesses to patch immediately.
Meanwhile, a particularly concerning security feature bypass in Microsoft Publisher, tracked as CVE-2023-21715, has also been patched in this latest round of updates, the company confirmed.
Rated as ‘important’, this flaw affects Microsoft 365 apps for Enterprise and has been actively exploited in the wild, allowing an attacker to bypass Office macros policies used to block untrusted or malicious files.
“The attack itself is carried out locally by a user with authentication to the targeted system,” Microsoft said in its advisory.
“An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.”
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
