[German]On March 14, 2023, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates fix 76 CVE vulnerabilities, 9 of which are critical, 66 are important, and two are already exploited 0-day vulnerabilities. Below is a compact overview of these updates released on patchday.
Advertising
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office, etc. are available in separate blog posts.
Notes about the updates
Windows 10 versions 20H2 through 22H2 share a common core and have an identical set of system files. Therefore, the same security updates are delivered for these Windows 10 versions. Information on how to enable the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update includes all security fixes for these Windows versions – as well as any non-security fixes up to patchday. In addition to vulnerability security patches, the updates also include fixes to address bugs or new features (e.g., Moments 2 update for Windows 11 22H2). Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer versions of Windows 10. A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date).
Windows 7 SP1/Windows 8.1/Windows Server
Windows 7 SP1 is no longer supported as of January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows 8.1 is out of support in January 2023. However, Windows Server 2012 /R2 will receive security updates until October 2023.
Notes on Windows 7 ESU: German blog reader Bolko pointed out in a comment (thanks for that) that there are security updates for Windows 7 after all. Because the user abbodi1406 has in the MDL forum updates for two of his tools: BypassESU v12 and dotNetFx4_ESU_Installer_u (for installing the NET Framework without ByPassESU v12). The updates for "Windows Embedded Standard 7" are identical to "Windows Server 2008 R2" and you can install them on Windows 7 as well. The advantage of the updates for "Windows Embedded Standard 7" is that they are also available for 32-bit. The updates for "Windows Server 2008 R2" are only for 64-bit.
Fixed vulnerabilities
Tenable has published this blog post with an overview of the fixed vulnerabilities. Tenable states that three 0-day vulnerabilities are exploited in the wild.
- CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability, CVEv3 Score 9.8, Critical; Already exploited; The vulnerability can be exploited by sending a malicious email to a vulnerable version of Outlook. When the email is processed by the server, a connection can be made to an attacker-controlled device to spy on the email recipient's Net-NTLMv2 hash. The attacker can use this hash to authenticate as the victim's recipient in an NTLM relay attack. Microsoft notes that this vulnerability can be exploited before the email is displayed in the preview pane, meaning that no recipient interaction is required for a successful attack. Discovery by Computer Emergency Response Team of Ukraine (CERT-UA) and Microsoft. Microsoft published a blog post about the discovery of this vulnerability on March 14, 2023 – a Russian threat actor is exploiting the vulnerability.
- CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability in Windows, CVSSv3 Score of 5.4, moderate. The vulnerability is publicly known and has been exploited in the wild. To exploit it, a malicious file must be opened by a user with an affected version of Windows. When the email is opened, the Mark of the Web (MoTW) functionality is bypassed, which means that security features that rely on the MoTW mark are not triggered and it is possible for malicious payloads in the file to execute on the target.
- CVE-2023-23416: Windows Cryptographic Services Remote Code Execution RCE-RCE-Schwachstelle, CVSSv3 Score 8.4, critical, exists in Windows Cryptographic Services, a set of encryption tools in Windows operating systems. Exploited by importing a malicious certificate to a vulnerable target. This requires the attacker to authenticate to the target or trick an authenticated user into importing the malicious certificate. CVE-2023-23416 has been rated as Exploitation More Likely using the Microsoft Exploitability Index.
- CVE-2023-23415: Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability, RCE vulnerability in Windows, CVSSv3 score 9.8, critical; The vulnerability in the operating system's handling of ICMP packets when an application running on the vulnerable Windows host is bound to a raw socket. Exploited by sending a malicious fragmented IP packet to a vulnerable target, leads to execution of arbitrary code. CVE-2023-23415 has been rated as Exploitation More Likely using the Microsoft Exploitability Index.
- CVE-2023-23392: HTTP Protocol Stack Remote Code Execution Vulnerability, CVSSv3-Score 9.8, critical, the vulnerability exists in the HTTP.sys component of Windows. Can be exploited remotely by a remote, unauthenticated attacker sending a malicious packet to the target server. For a server to be vulnerable, it must have HTTP/3 enabled and use buffered I/O. HTTP/3 support is a new feature for Windows Server 2022 and must be enabled with a registry key.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available in the Tenable and Bleeping Computer articles. Below is still the list of patched products/features:
Advertising
- Azure
- Client Server Run-time Subsystem (CSRSS)
- Internet Control Message Protocol (ICMP)
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft OneDrive
- Microsoft PostScript Printer Driver
- Microsoft Printer Drivers
- Microsoft Windows Codecs Library
- Office for Android
- Remote Access Service Point-to-Point Tunneling Protocol
- Role: DNS Server
- Role: Windows Hyper-V
- Service Fabric
- Visual Studio
- Windows Accounts Control
- Windows Bluetooth Service
- Windows Central Resource Manager
- Windows Cryptographic Services
- Windows Defender
- Windows HTTP Protocol Stack
- Windows HTTP.sys
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kernel
- Windows Partition Management Driver
- Windows Point-to-Point Protocol over Ethernet (PPPoE)
- Windows Remote Procedure Call
- Windows Remote Procedure Call Runtime
- Windows Resilient File System (ReFS)
- Windows Secure Channel
- Windows SmartScreen
- Windows TPM
- Windows Win32K
Similar articles:
Microsoft Security Update Summary (March 14, 2023)
Patchday: Windows 10-Updates (March 14, 2023)
Patchday: Windows 11/Server 2022-Updates (March 14, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (March 14, 2023)
Patchday: Microsoft Office Updates (March 14, 2023)
Exchange Server Security Updates (March 14, 2023)
Advertising
There are reports on patchmanagement.org list, that the SSU for Windows Server 2012 R2 forces a reboot during install. Manually install shall not require a reboot was reported.