The three zero-days (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823)
CVE-2023-21715 a vulnerability that allows attackers to bypass a Microsoft Publisher security feature: Office macro policies used to block untrusted or malicious files.
“The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer,” Microsoft explains.
Due to the local attack vector and the fact that elevated privileges and user interaction is required to exploit the flaw, the vulnerability is rated as Important. Still, any flaw that allows attackers to misuse macros in an Office document and not trigger a block should be patched quickly, whether it’s currently exploited in highly targeted attacks or more widely. Attackers have been slowly abandoning the use of macros as Microsoft started blocking them by default in Office documents downloaded from the internet, but vulnerabilities like this one obviously allow them to still be a good option.
CVE-2023-23376 is a vulnerability in the Windows Common Log File System that could allow attackers to achieve SYSTEM privileges on a target host.
“This is likely being chained with an RCE bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center (aka MSTIC), it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly,” says Trend Micro’s Dustin Childs.
CVE-2023-21823 is a vulnerability in Windows Graphics Component and could lead to remote code execution and a total takeover of a vulnerable system.
“The Microsoft Store will automatically update affected customers,” Microsoft says. Those who have disabled automatic updates should get them via the Microsoft Store (go to: Library > Get updates > Update all).
Unfortunately, Microsoft did not share any details about the attacks in which these vulnerabilities are being exploited.
Other vulnerabilities of note
Childs advises admins to patch quickly CVE-2023-21716, a critical RCE in Microsoft Word that can be exploited by the system simply opening the Preview Pane.
“An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file,” Microsoft shared.
A few Microsoft Exchange Server RCE bugs require the attacker to authenticate before exploitation, but given attackers’ predilection for targeting Exchange servers, admins should also prioritize those patches.