Microsoft's February Patch Tuesday Fixes 3 Zero-DaysComputing Giant Continues the Fight Against Malicious Macros
Microsoft, in its February monthly dump of fixes, is patching three actively exploited zero-day vulnerabilities, including one that coaxes users into downloading a file that bypasses Office security features preventing malicious macros from automatically executing.
See Also: 2022 Unit 42 Incident Response Report
In all, the computing giant pushed fixes for 77 vulnerabilities, nine of which the company classifies as "critical." The zero-days are classified as "important" and have CVSS ratings of 7.8 or less.
Microsoft has fought a near-constant rearguard action against hackers who exploit the Office suite's ability to execute scripts. Security researcher and former Microsoft employee Kevin Beaumont in 2021 called macros "one of the single largest cybersecurity issues" facing Office customers and a common gateway to ransomware. After years of pressure, Microsoft in 2022 began by default to block macros from executing in documents downloaded from the internet. Hackers have responded by looking for ways around the macro block - including through the vulnerability patched this month, designated as CVE-2023-21715.
The attack requires an authenticated user to download and open "a specially crafted file," allowing the attacker to bypass Office macro policies used to block untrusted or malicious files, Microsoft says.
"It sounds more like a privilege escalation than a security feature bypass but, regardless, active attacks in a common enterprise application shouldn't be ignored. It's always alarming when a security feature is not just bypassed but exploited," said Dustin Childs, a security analyst at the Zero Day Initiative, a software vulnerability initiative run by cybersecurity firm Trend Micro.
Security experts say they're also highly concerned about CVE-2023-21823, a remote code execution vulnerability affects Windows Graphics Component.
"If exploited, the vulnerability in the Windows OS could allow the attacker to gain system privileges. For the apps, the exploit could lead to remote code execution. Windows customers are urged to update to the latest OS version," said Chris Goettl, vice president of product management at IT and security automation services provider Ivanti.
The final actively exploited vulnerability, tracked as CVE-2023-23376, affects Windows Common Log File System Driver and causes an elevation of privilege vulnerability. It allows an attacker to exploit code and enables system takeover.
Microsoft also patched an Exchange server flaw tracked as CVE-2023-21529 that has a CVSS risk score of 8.8.
Adam Barnett, Rapid7 lead software engineer, said this is the first Patch Tuesday after the end of Extended Security Updates for Windows 8.1 and warned admins responsible for Windows Server 2008 instances to note that ESU for Windows Server 2008 is now only available for instances hosted in Azure or on-premises instances hosted via Azure Stack.
"Instances of Windows Server 2008 hosted in a non-Azure context will no longer receive security updates, so will forever remain vulnerable to any new vulnerabilities, including the two zero-days covered above," Barnett said.