The February 2023 Security Update Overview

Welcome to the second patch Tuesday of 2023. On this romantic holiday, Microsoft and Adobe have released their latest security patches as Valentine’s gifts for us all. Take a break from your regularly scheduled activities (or Pwn2Own Miami) and join us as we review the details of their latest security offerings.

Adobe Patches for February 2023

For February, Adobe released nine patches addressing 28 CVEs in Adobe Photoshop, Substance 3D Stager, Animate, InDesign, Bridge, FrameMaker, Connect, and After Effects. A total of 21 of these were reported by ZDI vulnerability researcher Mat Powell. Probably the most interesting fix is for PhotoShop. This patch fixes five bugs, three of which are rated Critical. An attacker could get arbitrary code execution if they can convince a user on an affected system to open a malicious file. This is the same scenario for Premier Rush, which corrects two Critical-rated code execution bugs. The Animate patch also fixes three similar code execution bugs. The fix for Adobe Bridge fixes five Critical-rated code execution bugs plus two memory leaks. After Effects also has a memory leak to go along with three code execution bugs. The patch for FrameMaker also contains a mix of code execution and memory leak fixes.

The patch for Adobe Connect fixes a security feature bypass bug, although Adobe doesn’t provide any further info on what’s being bypassed. The fix for InDesign corrects a denial of service caused by a NULL pointer deref. Finally, the fix for Adobe Substance 3D Stager doesn’t actually address any new CVEs. However, Adobe is updating third-party libraries used by the 3D modeling tool.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2023

This month, Microsoft released 75 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; .NET Core and Visual Studio Code; 3D Builder and Print 3D; Microsoft Azure and Dynamics 365; Defender for IoT and the Malware Protection Engine; and Microsoft Edge (Chromium-based). This is in addition to Edge CVEs previously released this month plus some third-party fixes that are now being shipped for Microsoft products. A total of eight of these CVEs were submitted through the ZDI program.

Of the patches released today, nine are rated Critical and 66 are rated Important in severity. This volume is relatively typical for a February release. However, it is unusual to see half of the release address remote code execution (RCE) bugs.

None of the new CVEs released this month are listed as publicly known, but there are three bugs listed as being exploited in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability
Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be. Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.

-       CVE-2023-23376 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
This is the other bug under active attack in February, and sadly, there’s just a little solid information about this privilege escalation. Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with an RCE bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center (aka MSTIC), it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.

 -       CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability
Normally, Word bugs don’t attract too much attention – unless the Outlook Preview Pane is an attack vector, which is the case here. This CVSS 9.8 bug could be used by an attacker to get code execution at the level of the logged-on user without user interaction. When paired with a privilege escalation bug like the one mentioned above, an attacker could completely compromise a target. If you’re logged on as an admin, escalation isn’t needed, which is another reason why you shouldn’t be logged in as an admin for non-admin tasks.

-       CVE-2023-21529 – Microsoft Exchange Server Remote Code Execution Vulnerability
There are multiple Exchange RCE bugs getting fixes this month, but this one reported by ZDI’s Piotr Bazydło stands out as it results from an incomplete fix in Exchange from last fall. While this vulnerability does require authentication, it allows any user with access to the Exchange PowerShell backend to take over an Exchange server. I know applying Exchange patches isn’t fun and usually requires weekend downtime, but these updates should still be considered a priority.

Here’s the full list of CVEs released by Microsoft for February 2023:

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Taking a look at the remaining Critical-rated patches, there are three CVSS 9.8 bugs in Microsoft’s Protected Extensible Authentication Protocol (PEAP), but it doesn’t appear this protocol is used much anymore. Of more concern is the CVSS 9.8 bug in the iSCSI Discovery Service. Datacenters with storage area networks (SANs) should definitely check with their vendors to see if their SAN is impacted by the RCE vulnerability. The bug in SQL would require someone to connect to a malicious SQL server via ODBC. That seems somewhat unlikely. However, you will need to review the bulletin closely to ensure you get the right fixes for your release of SQL Server. Finally, there are three fixes for Critical-rated .NET and Visual Studio bugs. These appear to be open-and-own bugs, but Microsoft provides no further details about these vulnerabilities.

Moving on to the other code execution bugs, the aforementioned Exchange fixes stand out the most. And while there are no Print Spooler bugs getting fixed this month, there are two bugs in the PostScript Printer Driver that could allow an authenticated attacker to take over a system sharing a printer. There are quite a few fixes for SQL Server. Exploiting these would require an affected system to connect to a malicious SQL Server – typically through ODBC. While that seems unlikely, I’m more concerned about the various servicing scenarios between all the available versions of SQL Server. There are two bugs in 3D Builder and one bug in Print 3D that were discovered by ZDI’s Mat Powell. These require fixes from the Microsoft Store, so follow the guidance here if these apps don’t automatically update. The bug in the MSHTML Platform came through the ZDI program. This specific flaw exists within the processing of certain image file types that can contain script tags. Under limited circumstances, crafted data in an image can lead to the execution of untrusted script. The bug in Windows Media was reported by ZDI’s Hossein Lotfi. In this case, the vulnerability resides within the handling of color conversion. It results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory.

The bug in Azure Data Box Gateway requires high privileges to exploit, but that’s not the case for Azure DevOps Server vulnerability. An attacker only needs to have only Run access to the pipeline. However, not every pipeline is vulnerable. Unfortunately, Microsoft doesn’t provide information on how to distinguish the affected and non-affected pipelines. The bug in Dynamics is interesting, too. While it does require authentication, an attacker might be able to call the target’s local files in the Resources directory and execute Windows commands that are outside of the Dynamics application. There are a couple of other mundane RCE bugs, but they do allow us to remind you the Fax Service is still a thing. The final RCE bug is the lone Moderate-rated bug this month for Edge (Chromium-based).

There’s a small amount of Elevation of Privilege (EoP) bugs receiving patches this month, and the majority of these require the attacker to execute their code on a target to escalate privileges – typically to SYSTEM. There are a couple of fixes that merit further discussion. The first is in the Azure App Service. While it does require authentication, a successful attack could allow the attacker to gain the ability to interact with other tenants’ applications and content. The bug in SharePoint requires two patches to resolve the vulnerability depending on your configuration. The fix for Defender for IoT requires a new version of the software to be installed through the management console.

In addition to the security feature bypass (SFB) under active attack, there’s an SFB fix for Defender for Endpoint worth mentioning. The bug allows the Attack Surface Reduction blocking feature to be bypassed when opening a malicious file.

Looking at the information disclosure bugs receiving fixes this month, all but one results in info leaks consisting of unspecified memory contents. The outlier is the bug in Azure Machine Learning Compute. This vulnerability could allow an attacker to recover cleartext passwords from error logs, which is generally classified as a Bad Thing™. This vulnerability was reported by Nitesh Surana of Project Nebula – a part of Trend Micro Research.

The February release fixes 10 different Denial-of-Service (DoS) bugs. For most of these, Microsoft provides no real detail about these bugs, so it isn’t clear if successful exploitation results in the service stopping or the system crashing. There is a bit of information about the DoS in Visual Studio. An authenticated attacker could use this vulnerability to replace one file with another when executing the Visual Studio installer.

The spoofing bug in Power BI is rated as Important and could allow an attacker to modify the contents of a reports file. This could also result in running JavaScript running. There’s not much information about the OneNote spoofing bug, but note depending on the version of OneNote, you may need to access the Microsoft or Google Play store for the update.

Finally, there are six cross-site scripting (XSS) bugs in Dynamics 365 and Azure DevOps.

No advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on March 14, and we’ll return with details and patch analysis then. Be sure to catch the live edition of the Patch Report webcast on our YouTube channel. I’ll be answering your questions about the release direct from Pwn2Own Miami. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!