[German]On February 14, 2023, Microsoft released security updates for Windows clients and servers, for Office, etc. – as well as for other products – released. The security updates fix 75 vulnerabilities, of which 9 are critical, 66 are important and 3 are 0-day vulnerabilities. Below is a compact overview of these updates released on patchday.
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office, etc. are available in separate blog posts.
Notes about Updates
Windows 10 version 20H2 to 22H2 use a common core and have an identical set of system files. Therefore, the same security update will be delivered for these Windows 10 versions. Information on enabling the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to patchday. In addition to security patches for the vulnerabilities, the updates include security enhancement measures.
Microsoft includes the Servicing Stack Updates (SSUs) in the Latest Cumulative Updates (LCUs) for newer Windows 10 versions. A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date).
Windows 7 SP1/Windows 8.1/Windows Server
Windows 7 SP1 is no longer supported as of January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows 8.1 is out of support in January 2023. However, Windows Server 2012 /R2 will receive security updates until October 2023.
Notes about Windows 7 ESU
German blog reader Bolko pointed out in a comment (thanks for that) that there are security updates for Windows 7 after all. Because the user abbodi1406 has in the MDL forum updates for two of his tools:
dotNetFx4_ESU_Installer_u (for the installation of the NET Framework without ByPassESU v12)
is provided. The updates for "Windows Embedded Standard 7" are identical to "Windows Server 2008 R2" and can also be installed on Windows 7. The advantage of the updates for "Windows Embedded Standard 7" is that they are also available for 32-bit. The updates for "Windows Server 2008 R2" are only for 64-bit.
Tenable has this blog post with an overview of the fixed vulnerabilities. Tenable states that three 0-day vulnerabilities are exploited in the wild.
- CVE-2023-23376: Windows Common Log File System Driver Elevation of Privilege Vulnerability; Important; VSSv3 Score 7.8; Exploitation in the wild. The vulnerability exists in the Common Log File System (CLFS) driver, a logging service used by kernel and user mode applications. This vulnerability can be exploited after an attacker gains access to a vulnerable target to gain SYSTEM privileges.
- CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 and CVE-2023-21710: Microsoft Exchange Server Remote code execution vulnerabilit, Important, CVSSv3-Score 7.2 till 8.8, The vulnerabilities allow a remote attacker to execute arbitrary code on a vulnerable server via a network call. CVE-2023-21529, CVE-2023-21706 and CVE-2023-21707 were rated "Exploitation More Likely" on Microsoft's Exploitability Index.
- CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692: Microsoft Protected Extensible Authentication Protocol, Critical und Important, VSSv3-Score 9.8; The vulnerability is in the Protected Extensible Authentication Protocol (PEAP) server component used to establish secure connections with wireless clients. Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code. For a target system to be vulnerable, it must be running Network Policy Server and configured with a network policy that allows PEAP. All three vulnerabilities were rated Exploitation More Likely in the corresponding advisory. Another RCE affecting PEAP, CVE-2023-21695, was also patched this month. However, exploitation of this vulnerability requires authentication. All four CVEs can be exploited through a tampered PEAP packet sent to an unpatched host.
- CVE-2023-21823: Windows Graphics Component Elevation of Privilege Vulnerability; Important; CVSSv3 Score 7.8; This is an EoP vulnerability in the Microsoft Windows graphics component, and has been exploited as a zero-day vulnerability. To exploit this vulnerability, an attacker must log in to a vulnerable system and run a specially crafted application. If successfully exploited, an attacker can execute processes in an extended context. Although no details have been disclosed, the vulnerability is attributed to Mandiant researchers Genwei Jiang and Dhanesh Kizhakkinan.
- CVE-2023-21715: Microsoft Office Security Feature Bypass Vulnerability; Important; CVSSv3-Score 7.3, Exploitation in the wild. To exploit the vulnerability, a local, authenticated user must download and open an attacker-created file on a vulnerable system. An attacker would have to trick the user into downloading and executing the file to successfully exploit this vulnerability. This vulnerability is attributed to Hidetake Jo.
- CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability, Critical, CVSSv3-Score 9.8; This is an RCE vulnerability in multiple versions of Microsoft Word, Sharepoint, 365 Apps, and Office for Mac. Although the vulnerable component is unspecified, Microsoft states that the preview pane in these apps is an attack vector. The vulnerability can be exploited by an unauthenticated attacker sending an email with a rich text format (RTF) payload that, when opened, allows a command to be executed. The Microsoft advisory for this CVE references MS08-026 and KB922849, which provide instructions on how to prevent Microsoft Office from opening RTF documents from unknown or untrusted sources by using the Microsoft Office File Block policy.
- .NET and Visual Studio
- .NET Framework
- 3D Builder
- Azure App Service
- Azure Data Box Gateway
- Azure DevOps
- Azure Machine Learning
- Internet Storage Name Service
- Microsoft Defender for Endpoint
- Microsoft Defender for IoT
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office OneNote
- Microsoft Office Publisher
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft PostScript Printer Driver
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Codecs Library
- Power BI
- SQL Server
- Visual Studio
- Windows Active Directory
- Windows ALPC
- Windows Common Log File System Driver
- Windows Cryptographic Services
- Windows Distributed File System (DFS)
- Windows Fax and Scan Service
- Windows HTTP.sys
- Windows Installer
- Windows iSCSI
- Windows Kerberos
- Windows MSHTML Platform
- Windows ODBC Driver
- Windows Protected EAP (PEAP)
- Windows SChannel
- Windows Win32K
Microsoft Security Update Summary (February 14, 2023)
Patchday: Windows 10 Updates (February 14, 2023)
Patchday: Windows 11/Server 2022 Updates (February 14, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (February 14, 2023)
Patchday: Microsoft Office Updates (February 14, 2023)
Exchange Server Security Updates (February 14, 2023)
Cookies helps to fund this blog: Cookie settings