Microsoft unveils fixes for more critical security flaws, so patch now
February Patch Tuesday release sees Microsoft reveal more vital fixes
Microsoft has released this month’s Patch Tuesday security update, fixing a total of 77 flaws including three zero-day vulnerabilities.
A zero-day is a high-severity vulnerability that a threat actor can leverage destructive cyberattacks, that still hasn’t been patched. Given that this month’s patch fixes three such flaws, Microsoft recommends users apply the fix as soon as possible.
The three zero-days that were fixed are CVE-2023-21823 (Windows graphics component remote code execution), CVE-2023-21715 (Microsoft publisher security features bypass), and CVE-2023-23376 (Windows common log file system driver elevation of privilege vulnerability). These three allowed threat actors to execute code remotely, bypass Office macro policies, or gain system privileges.
Updates via Microsoft Store
Microsoft also said that it will be pushing this update out to the users through the Microsoft Store, not Windows Update. That means that the customers with disabled automatic updates in the Microsoft Store will not get the patch automatically and will rather need to trigger it themselves.
The company did not detail who, or where, leveraged these flaws to initiate attacks, but it did say exploiting 21715 allows a malicious Publisher document to run without warning the user.
"The attack itself is carried out locally by a user with authentication to the targeted system," the company said. "An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer."
The February 2023 Patch Tuesday cumulative update addresses a total of nine vulnerabilities classified as “critical”, which allow for remote code execution.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In total, Microsoft fixed 12 elevation of privilege flaws, two security feature bypass flaws, 38 remote code execution flaws, 8 information disclosure vulnerabilities, 10 denial of service vulnerabilities, and 8 spoofing flaws. Earlier this month, Microsoft released fixes for three additional vulnerabilities found in the Edge browser, which are not part of this update.
- Keep your business safe with the best endpoint protection for small business
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.