Microsoft’s April 2023 Patch Tuesday fixes exploited CVE-2023-28252 0-day vulnerability
Microsoft’s April 2023 Patch Tuesday has arrived, and it brings a slew of security updates aimed at fixing one actively exploited zero-day vulnerability and a total of 97 flaws. The patches address vulnerabilities in Microsoft Windows and Windows Components, Office and Office Components, Windows Defender, SharePoint Server, Windows Hyper-V, PostScript Printer, and Microsoft Dynamics.
One of the new CVEs is listed as under active attack at the time of release. Tracked as CVE-2023-28252 (CVSS score of 7.8), the flaw affects Windows Common Log File System Driver component. This zero-day vulnerability is currently under active attack, and it seems eerily similar to one that was patched in the same component just two months ago. This suggests that the original fix was insufficient, and attackers have found a method to bypass it. There is no information on the extent of these attacks, but such exploits are typically paired with code execution bugs to propagate malware or ransomware. It is crucial to test and deploy this patch as soon as possible.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft wrote in its advisory. The company has credited the security researcher Genwei Jiang with Mandiant and Quan Jin with DBAPPSecurity WeBin Lab for finding and reporting the CVE-2023-28252 vulnerability.
An interesting update for this month is tracked as CVE-2013-3900. This 10-year-old patch is being reissued, having been recently exploited by threat actors in the 3CX attacks. Previously an “opt-in” fix, the revised patch adds fixes for additional platforms and includes further recommendations for enterprises. It is essential to review all the recommendations, including information on the Microsoft Trusted Root Program, and take the necessary steps to protect your environment.
Microsoft’s highest exploitability rating –CVE-2023-21554– rated as a CVSS 9.8 bug, this vulnerability allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. Though disabled by default, this service is widely used by contact center applications and listens to TCP port 1801. Blocking this port at the perimeter can prevent external attacks, but the impact on operations remains unclear. Testing and deploying the update is the best course of action.
Users and system administrators are strongly recommended to apply the latest security patches as soon as possible to keep hackers and cybercriminals away from taking control of their systems.
