Microsoft February Patch Tuesday: fixed three zero-days (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823)

CVE-2023-21823

It’s time to gear up for the latest February 2023 Microsoft February Patch Tuesday. Microsoft today released security patch updates for more than 70 vulnerabilities, affecting Windows, Edge, MS Office, and MS Office Exchange Server, 9 of which are rated critical, and three actively exploited zero-day flaws (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823).

Tracked as CVE-2023-21715 (CVSS score: 7.3), the first zero-day bug relates to bypass security restrictions vulnerability affecting Microsoft Publisher. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to bypass security features.

“The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer,” Microsoft wrote.

Tracked as CVE-2023-23376 (CVSS score: 7.8), the second zero-day flaw relates to a privilege escalation vulnerability affecting Windows Common Log File System Driver. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to gain SYSTEM privileges.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft explained.

Tracked as CVE-2023-21823 (CVSS score: 7.8), the third zero-day flaw relates to remote code execution vulnerability affecting Graphics Component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to gain SYSTEM privileges.

Besides three zero-day CVE-2023-21715, CVE-2023-23376, and CVE-2023-21823 bugs, the cumulative security update also resolves several remote code execution flaws in 3D Builder (CVE-2023-23390, CVE-2023-23377, CVE-2023-23378), .NET and Visual Studio (CVE-2023-21808), Azure Data Box Gateway (CVE-2023-21703), Microsoft Exchange Server, Microsoft Dynamics, Microsoft Office Word, Microsoft PostScript Printer Driver, Microsoft WDAC OLE DB provider for SQL, Windows Protected EAP (PEAP), Windows MSHTML Platform, Windows ODBC Driver, Windows iSCSI Windows Fax and Scan Service, Windows Distributed File System (DFS), Visual Studio, SQL Server, Microsoft Windows Codecs Library, Microsoft WDAC OLE DB provider for SQL.

Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.