Microsoft’s Patch Tuesday for February fixes 3 zero-day bugs and more

Why it issues: ‘Patch Tuesday’ is the unofficial time period utilized by Microsoft for its month-to-month launch of bugfixes for Home windows and different software program merchandise. Like each different month since October 2003, Microsoft patched a whole lot of flaws in February that would make hackers’ malicious jobs simpler.

Yesterday’s Valentine’s Day was a day for lovers, martyrs, and system directors, as Microsoft launched its month-to-month batch of safety updates for Home windows and different merchandise. The Patch Tuesday for February 2023 introduced fixes for a exceptional quantity of bugs, together with three harmful zero-day flaws which might be already being exploited by unknown hackers and cyber-criminals.

In line with Microsoft’s official bulletin, the February 2023 Security Updates embrace bugfixes for a number of Home windows elements, the Visible Studio IDE, Azure elements, .NET Framework, Microsoft Workplace purposes (Phrase, Writer, OneNote, SharePoint), SQL Server and rather more. All issues thought-about, the brand new Patch Tuesday ought to repair 77 particular person safety flaws.

9 out of the 77 flaws have been categorized with a “important” severity stage, as they are often abused to permit distant code execution on susceptible methods. Contemplating the kind of flaws and the consequences they may have on Home windows and different affected software program, Microsoft has categorized the vulnerabilities as follows: 12 Elevation of Privilege Vulnerabilities, 2 Safety Function Bypass Vulnerabilities, 38 Distant Code Execution Vulnerabilities, 8 Data Disclosure Vulnerabilities, 10 Denial of Service Vulnerabilities, 8 Spoofing Vulnerabilities. A full report about all solved bugs and associated advisories has been revealed by Bleeping Pc and is available here.

The safety flaws patched on February 14 do not embrace three vulnerabilities within the Edge browser, which Microsoft already fastened in the beginning of the month. Probably the most fascinating – and harmful – bugs fastened in February’s Patch Tuesday embrace three zero-day flaws, two of which had been found in Home windows elements and the final one in Microsoft Writer.

Often called CVE-2023-21823, the primary zero-day bug is a “Home windows Graphics Element Distant Code Execution Vulnerability,” which might present distant code execution capabilities with SYSTEM privileges. Not like the opposite patches, the CVE-2023-21823 repair is being distributed by way of the Microsoft Retailer reasonably than by means of the standard Home windows Replace channels. Customers who disabled computerized updates for the Retailer will get this explicit replace as nicely.

The second zero-day bug is tracked as CVE-2023-23376, and it is a “Home windows Widespread Log File System Driver Elevation of Privilege Vulnerability” that an attacker might exploit to realize SYSTEM privileges. Lastly, the third zero-day bug was found in Microsoft Writer (CVE-2023-21715), and it might be abused by a maliciously crafted doc to bypass Workplace macro insurance policies and run code with no person warning.

Home windows Safety Updates for February 2023 are already being distributed by means of the official Home windows Replace service, replace administration methods equivalent to WSUS, the Microsoft Retailer and as direct downloads from the Microsoft Replace Catalog. Different software program corporations releasing their safety updates in sync with Microsoft’s February Patch Tuesday embrace Adobe, Apple, Atlassian, Cisco, Google, Fortra, and SAP.