![]() Normally, Word bugs don’t attract too much attention – unless the Outlook Preview Pane is an attack vector, which is the case here. CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability Either way, make sure you test and roll these fixes quickly. ![]() Considering this was discovered by Microsoft’s Threat Intelligence Center (aka MSTIC), it could mean it was used by advanced threat actors. This is likely being chained with an RCE bug to spread malware or ransomware. Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is the other bug under active attack in February, and sadly, there’s just a little solid information about this privilege escalation. CVE-2023-23376 – Windows Common Log File System Driver Elevation of Privilege Vulnerability Let’s hope the fix comprehensively addresses the problem. It’s always alarming when a security feature is not just bypassed but exploited. Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be. CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack: None of the new CVEs released this month are listed as publicly known, but there are three bugs listed as being exploited in the wild at the time of release. However, it is unusual to see half of the release address remote code execution (RCE) bugs. This volume is relatively typical for a February release. Of the patches released today, nine are rated Critical and 66 are rated Important in severity. A total of eight of these CVEs were submitted through the ZDI program. This is in addition to Edge CVEs previously released this month plus some third-party fixes that are now being shipped for Microsoft products. NET Core and Visual Studio Code 3D Builder and Print 3D Microsoft Azure and Dynamics 365 Defender for IoT and the Malware Protection Engine and Microsoft Edge (Chromium-based). This month, Microsoft released 75 new patches addressing CVEs in Microsoft Windows and Windows Components Office and Office Components Exchange Server. Adobe categorizes these updates as a deployment priority rating of 3. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. However, Adobe is updating third-party libraries used by the 3D modeling tool. Finally, the fix for Adobe Substance 3D Stager doesn’t actually address any new CVEs. The fix for InDesign corrects a denial of service caused by a NULL pointer deref. The patch for Adobe Connect fixes a security feature bypass bug, although Adobe doesn’t provide any further info on what’s being bypassed. The patch for FrameMaker also contains a mix of code execution and memory leak fixes. After Effects also has a memory leak to go along with three code execution bugs. ![]() The fix for Adobe Bridge fixes five Critical-rated code execution bugs plus two memory leaks. The Animate patch also fixes three similar code execution bugs. This is the same scenario for Premier Rush, which corrects two Critical-rated code execution bugs. An attacker could get arbitrary code execution if they can convince a user on an affected system to open a malicious file. This patch fixes five bugs, three of which are rated Critical. Probably the most interesting fix is for PhotoShop. A total of 21 of these were reported by ZDI vulnerability researcher Mat Powell. Take a break from your regularly scheduled activities (or Pwn2Own Miami) and join us as we review the details of their latest security offerings.įor February, Adobe released nine patches addressing 28 CVEs in Adobe Photoshop, Substance 3D Stager, Animate, InDesign, Bridge, FrameMaker, Connect, and After Effects. On this romantic holiday, Microsoft and Adobe have released their latest security patches as Valentine’s gifts for us all. Welcome to the second patch Tuesday of 2023.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |