Future Tech

Microsoft delivers 75-count box of patches for Valentine's Day

Tan KW
Publish date: Wed, 15 Feb 2023, 08:29 AM
Tan KW
0 475,730
Future Tech

Patch Tuesday Happy Patch Tuesday for February, 2023, which falls on Valentine's Day.

Microsoft is showering love, maybe, on IT teams with some 75 security patches, nine of which are rated "critical" and 66 "important," and three of which Redmond says are under active exploitation.

Interestingly enough, the trio being taken advantage of aren't the most critical vulnerabilities Microsoft has addressed this month. Of the three being exploited, two have a base CVSS severity score of 7.8 out of 10, while the third scores just 7.3. Five of the others flaws which earned a 9.8 CVSS score are decidedly worse.

Those five aren't being actively exploited, though, while three less severe ones are. 

The first vulnerability under active attack, spotted by Mandiant, is a remote code execution bug in the Windows Graphics Component that would allow a miscreant to execute commands with system-level permissions. 

The second is a bug in the Windows Common Log File System Driver and would allow an attacker to elevate their access to gain system privileges. Microsoft didn't share any details about the issue, unfortunately, but with it under active exploitation it's a good idea to install those patches. 

The third under active exploit is serious - it could allow an attacker to bypass Office macro security policies - but Microsoft's own explanation of the vulnerability undermines its potential danger. 

The attack has to be carried out by a local user who's already authenticated, Microsoft said. If the authenticated attacker can convince a victim to download and open a malicious file then the security hole can be exploited, otherwise it's not going to happen. 

Far more interesting is the CVSS 9.8 vulnerability in Microsoft Office through which an intruder can use the Outlook Preview Pane to launch a remote code execution attack using a malicious RTF file that would allow an intruder to "gain access to execute commands within the application used to open" the file.  

There's also an iSCSI Discovery Service vulnerability, also rated a 9.8, that could let an attacker gain RCE privileges on any 32-bit machine they can find iSCSI DS running on.

The remaining three critical vulnerabilities are all in Microsoft's Protected Extensible Authentication Protocol, which Trend Micro's Zero Day Initiative noted isn't used much anymore. 

"This volume is relatively typical for a February release. However, it is unusual to see half of the release address remote code execution bugs," said Dustin Childs, ZDI's head of threat awareness.

Adobe mixes mud for some not-so-serious holes

Adobe has patched practically everything it makes this month, but none of the 28 CVEs it identified over the nine products being updated has an active exploit, with the company rating each update as something that can be installed at IT admin discretion.

Top of the list was Adobe Bridge, which had seven issues necessitating patches, including out of bounds read/write and a stack-based buffer overflow that could lead to arbitrary code execution or a memory leak.

Next on the score card was Photoshop, which Adobe noted five vulnerabilities for: An improper input validation bug, two out-of-bounds write issues and a pair of out-of-bounds read problems. Of the five, four could be used to perform arbitrary code execution, while the fifth can lead to a memory leak. Updates to Premier Rush were being pushed for the same reason.

FrameMaker is getting five vulnerabilities patched as well - all of which are similar to Photoshop's troubles aside from a use after free vulnerability, and four similar issue swere found in After Effects, too. 

Connect is suffering from a security feature bypass vulnerability, Animate has a trio of arbitrary code execution weaknesses, and InDesign is being patched against a denial of service attack. 

Lastly, ZDI noted that Adobe Substance 3D was also getting a patch, but not for any CVEs - it's a patch to address third-party library issues. 

The rest of the V-day PT-day crew

SAP issued 21 new security notes today, the worst of them being a CVSS 8.8 privilege escalation vulnerability in SAP Start Service. Fortunately, that particular vulnerability requires the attacker to be authenticated as a local user. 

Several other February security patches were also issued in the past few days/weeks, like the February 6 Android Security Bulletin that addressed three CVEs, one in Pixel devices and the other two in Qualcomm components. The Pixel device vulnerability wasn't explained, with Google only saying a patch for the issue would be "contained in the latest binary drivers for Pixel devices available from the Google Developer site."

In Apple world, macOS Ventura 13.2.1, iPadOS 16.3.1, and iOS 16.3.1, plus Safari 16.3 for macOS Big Sur and Monterey, were released this month to address various bugs including an exploited-in-the-wild flaw in WebKit as well as a hole that apps could use to gain kernel privileges.

AMD emitted updates on two security issues in its products. CVE-2022-27672 is another one of those Spectre-style data-leaking speculative-execution flaws involving hardware threads and virtualization in some of its Ryzen and Epyc processors.

If the conditions are right, one thread may be able to extract information from another thread that should be off limits. AMD reckons this will be hard to exploit, and that it's something for hypervisors and operating systems to address.

"AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges," the Ryzen designer explained.

"AMD is not aware of any actual real-world exploits based on this behavior."

Meanwhile, CVE-2022-27677 is a privilege-escalation vulnerability in AMD's Ryzen Master tool that is used for tuning system performance. This bug can be exploited during installation of this software to gain admin-level control over the box. ®

 

https://www.theregister.com//2023/02/14/microsoft_adobe_patch_tuesday/

Discussions
Be the first to like this. Showing 0 of 0 comments

Post a Comment