Microsoft's Patch Tuesday for February fixes 3 zero-day bugs and more
Windows and Office being pierced by hackers as usualBy Alfonso Maruccia
Why it matters: 'Patch Tuesday' is the unofficial term used by Microsoft for its monthly release of bugfixes for Windows and other software products. Like every other month since October 2003, Microsoft patched a lot of flaws in February that could make hackers' malicious jobs easier.
Yesterday's Valentine's Day was a day for lovers, martyrs, and system administrators, as Microsoft released its monthly batch of security updates for Windows and other products. The Patch Tuesday for February 2023 brought fixes for a remarkable amount of bugs, including three dangerous zero-day flaws that are already being exploited by unknown hackers and cyber-criminals.
According to Microsoft's official bulletin, the February 2023 Security Updates include bugfixes for several Windows components, the Visual Studio IDE, Azure components, .NET Framework, Microsoft Office applications (Word, Publisher, OneNote, SharePoint), SQL Server and much more. All things considered, the new Patch Tuesday should fix 77 individual security flaws.
Nine out of the 77 flaws have been classified with a "critical" severity level, as they can be abused to allow remote code execution on vulnerable systems. Considering the type of flaws and the effects they could have on Windows and other affected software, Microsoft has classified the vulnerabilities as follows: 12 Elevation of Privilege Vulnerabilities, 2 Security Feature Bypass Vulnerabilities, 38 Remote Code Execution Vulnerabilities, 8 Information Disclosure Vulnerabilities, 10 Denial of Service Vulnerabilities, 8 Spoofing Vulnerabilities. A full report about all solved bugs and related advisories has been published by Bleeping Computer and is available here.
The security flaws patched on February 14 don't include three vulnerabilities in the Edge browser, which Microsoft already fixed at the beginning of the month. The most interesting – and dangerous – bugs fixed in February's Patch Tuesday include three zero-day flaws, two of which were discovered in Windows components and the last one in Microsoft Publisher.
Known as CVE-2023-21823, the first zero-day bug is a "Windows Graphics Component Remote Code Execution Vulnerability," which could provide remote code execution capabilities with SYSTEM privileges. Unlike the other patches, the CVE-2023-21823 fix is being distributed via the Microsoft Store rather than through the usual Windows Update channels. Users who disabled automatic updates for the Store will get this particular update as well.
The second zero-day bug is tracked as CVE-2023-23376, and it's a "Windows Common Log File System Driver Elevation of Privilege Vulnerability" that an attacker could exploit to gain SYSTEM privileges. Finally, the third zero-day bug was discovered in Microsoft Publisher (CVE-2023-21715), and it could be abused by a maliciously crafted document to bypass Office macro policies and run code with no user warning.
Windows Security Updates for February 2023 are already being distributed through the official Windows Update service, update management systems such as WSUS, the Microsoft Store and as direct downloads from the Microsoft Update Catalog. Other software companies releasing their security updates in sync with Microsoft's February Patch Tuesday include Adobe, Apple, Atlassian, Cisco, Google, Fortra, and SAP.