Microsoft unveils fixes for more critical security flaws, so patch now

Microsoft Remote Desktop
(Image credit: Microsoft)

Microsoft has released this month’s Patch Tuesday security update, fixing a total of 77 flaws including three zero-day vulnerabilities. 

A zero-day is a high-severity vulnerability that a threat actor can leverage destructive cyberattacks, that still hasn’t been patched. Given that this month’s patch fixes three such flaws, Microsoft recommends users apply the fix as soon as possible.

The three zero-days that were fixed are CVE-2023-21823 (Windows graphics component remote code execution), CVE-2023-21715 (Microsoft publisher security features bypass), and CVE-2023-23376 (Windows common log file system driver elevation of privilege vulnerability). These three allowed threat actors to execute code remotely, bypass Office macro policies, or gain system privileges.

Updates via Microsoft Store

Microsoft also said that it will be pushing this update out to the users through the Microsoft Store, not Windows Update. That means that the customers with disabled automatic updates in the Microsoft Store will not get the patch automatically and will rather need to trigger it themselves.

The company did not detail who, or where, leveraged these flaws to initiate attacks, but it did say exploiting 21715 allows a malicious Publisher document to run without warning the user. 

"The attack itself is carried out locally by a user with authentication to the targeted system," the company said. "An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer."

The February 2023 Patch Tuesday cumulative update addresses a total of nine vulnerabilities classified as “critical”, which allow for remote code execution. 

In total, Microsoft fixed 12 elevation of privilege flaws, two security feature bypass flaws, 38 remote code execution flaws, 8 information disclosure vulnerabilities, 10 denial of service vulnerabilities, and 8 spoofing flaws. Earlier this month, Microsoft released fixes for three additional vulnerabilities found in the Edge browser, which are not part of this update.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.