Microsoft on Tuesday released security updates to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild.
The updates are in addition to 22 flaws the Windows maker patched in its Chromium-based Edge browser over the past month.
Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws. The three zero-days of note that have been exploited are as follows –
- CVE-2023-21715 (CVSS score: 7.3) – Microsoft Office Security Feature Bypass Vulnerability
- CVE-2023-21823 (CVSS score: 7.8) – Windows Graphics Component Elevation of Privilege Vulnerability
- CVE-2023-23376 (CVSS score: 7.8) – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability
“The attack itself is carried out locally by a user with authentication to the targeted system,” Microsoft said in advisory for CVE-2023-21715.
“An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.”
Successful exploitation of the above flaws could enable an adversary to bypass Office macro policies used to block untrusted or malicious files or gain SYSTEM privileges.
CVE-2023-23376 is also the third actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 and CVE-2022-37969 (CVSS scores: 7.8), which were addressed by Microsoft in April and September 2022.
“The Windows Common Log File System Driver is a component of the Windows operating system that manages and maintains a high-performance, transaction-based log file system,” Immersive Labs’ Nikolas Cemerikic said.
“It is an essential component of the Windows operating system, and any vulnerabilities in this driver could have significant implications for the security and reliability of the system.”
It’s worth noting that Microsoft OneNote for Android is vulnerable to CVE-2023-21823, and with the note-taking service increasingly emerging as a conduit for delivering malware, it’s crucial that users apply the fixes.
Also addressed by Microsoft are multiple RCE defects in Exchange Server, ODBC Driver, PostScript Printer Driver, and SQL Server as well as denial-of-service (DoS) issues impacting Windows iSCSI Service and Windows Secure Channel.
Three of the Exchange Server flaws are classified by the company as “Exploitation More Likely,” although successful exploitation requires the attacker to be already authenticated.
Exchange servers have proven to be high-value targets in recent years as they can enable unauthorized access to sensitive information, or facilitate Business Email Compromise (BEC) attacks.
Software Patches from Other Vendors
Besides Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —