As part of their second Patch Tuesday for the year, Microsoft recently released patches for 78 vulnerabilities along with the three actively exploited zero-day vulnerabilities overnight, 66 of which were marked important by the company.
Moreover, there are nine vulnerabilities that allow Remote Code Execution (RCE) on vulnerable devices, so, they have been classified as ‘Critical’.
Following is a list of how many bugs are found in each of the vulnerability categories:-
- Remote Code Execution Vulnerabilities: 38
- Elevation of Privilege Vulnerabilities: 12
- Denial of Service Vulnerabilities: 10
- Information Disclosure Vulnerabilities: 8
- Spoofing Vulnerabilities: 8
- Security Feature Bypass Vulnerabilities: 2
Three vulnerabilities were fixed earlier this month in Microsoft Edge, which is not included in this count.
Critical Flaws Patched
Here below we have mentioned all the flaws that are marked as “Critical”:-
- CVE-2023-21808: .NET and Visual Studio Remote Code Execution Vulnerability
- CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability
- CVE-2023-21718: Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
- CVE-2023-21815: Visual Studio Remote Code Execution Vulnerability
- CVE-2023-23381: Visual Studio Remote Code Execution Vulnerability
- CVE-2023-21803: Windows iSCSI Discovery Service Remote Code Execution Vulnerability
- CVE-2023-21692: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
- CVE-2023-21690: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
- CVE-2023-21689: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
Zero-days Patched
It is important to point out that Patch Tuesday for this month resolves three zero-day vulnerabilities that are actively exploited. If an issue is publicly disclosed with no official fix available, or if it is actively exploited, Microsoft classifies it as a zero-day.
In this security update, three actively exploited zero-day vulnerabilities have been fixed, and they are as follows:-
- CVE-2023-21823: Windows Graphics Component Remote Code Execution Vulnerability (Discovered by Dhanesh Kizhakkinan, Genwei Jiang, and Dhanesh Kizhakkinan of Mandiant)
- CVE-2023-21715: Microsoft Publisher Security Features Bypass Vulnerability (Discovered by Hidetake Jo of Microsoft)
- CVE-2023-23376: Windows Common Log File System Driver Elevation of Privilege Vulnerability (Discovered by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center)
There have been several vulnerabilities that have crippled Microsoft Exchange Servers around the world over the past few years, including:-
- ProxyLogon
- ProxyShell
- ProxyNotShell
- OWASSRF
- TabShell
State-sponsored threat actors in the following countries have found these flaws to be valuable assets in their arsenal of attacks:-
It is strongly recommended that organizations that rely on Microsoft Exchange Server apply the latest cumulative updates to that server immediately to prevent future exploitation.
Network Security Checklist – Download Free E-Book