Microsoft released a security update under patch Tuesday for April and fixed 97 vulnerabilities affecting various products, including a Windows zero-day bug that was exploited for ransomware attacks.
The Microsoft security updates contain fixes for the vulnerabilities that affected the following products:
- .NET Core
- Azure Machine Learning
- Azure Service Connector
- Microsoft Bluetooth Driver
- Microsoft Defender for Endpoint
- Microsoft Dynamics
- Microsoft Dynamics 365 Customer Voice
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Message Queuing
- Microsoft Office
- Microsoft Office Publisher
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft PostScript Printer Driver
- Microsoft Printer Drivers
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows DNS
- Visual Studio
- Visual Studio Code
- Windows Active Directory
- Windows ALPC
- Windows Ancillary Function Driver for WinSock
- Windows Boot Manager
- Windows Clip Service
- Windows CNG Key Isolation Service
- Windows Common Log File System Driver
- Windows DHCP Server
- Windows Enroll Engine
- Windows Error Reporting
- Windows Group Policy
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kerberos
- Windows Kernel
- Windows Layer 2 Tunneling Protocol
- Windows Lock Screen
- Windows Netlogon
- Windows Network Address Translation (NAT)
- Windows Network File System
- Windows Network Load Balancing
- Windows NTLM
- Windows PGM
- Windows Point-to-Point Protocol over Ethernet (PPPoE)
- Windows Point-to-Point Tunneling Protocol
- Windows Raw Image Extension
- Windows RDP Client
- Windows Registry
- Windows RPC API
- Windows Secure Boot
- Windows Secure Channel
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows Transport Security Layer (TLS)
- Windows Win32K
Out of 97 vulnerabilities, 7 vulnerabilities are marked as ‘Critical.’ The following number of vulnerabilities has been fixed for the respective vulnerability categories.
- Remote Code Execution Vulnerabilities – 40
- Elevation of Privilege Vulnerabilities – 20
- Information Disclosure Vulnerabilities – 10
- Denial of Service Vulnerabilities – 9
- Security Feature Bypass Vulnerabilities – 8
- Spoofing Vulnerabilities – 6
Zero-Day Vulnerability: (CVE-2023-28252)
Microsoft fixed a critical Elevation privilege zero-day vulnerability that affected the Windows Common Log File System Driver.
Upon successfully exploiting this vulnerability, attackers gain the system privilege. Genwei Jiang discovered the vulnerability with Mandiant and Quan Jin with DBAPPSecurity WeBin Lab, Microsoft says.
CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block.
Also this particular zero-day was used by a sophisticated cybercrime group that carries out ransomware attacks, Kaspersky says.
MS Office & Word RCE Bugs Fixed
Microsoft fixed the following remote code execution vulnerabilities that affect MS Office and Word.
CVE-2023-28285 – A Remote code execution vulnerability that affects MS Office allows an attacker to trick users into running malicious files from the local machine to exploit the vulnerability. Also, Microsoft clarifies that it doesn’t mean arbitrary code, but the word Remote in the title refers to the attacker’s location.
CVE-2023-28295 & CVE-2023-28287 – A Microsoft Publisher remote code execution vulnerability lets hackers gain system access by tricking the users into executing the malicious code that sends via email and downloaded from a malicious website.
CVE-2023-28311 – Microsoft Word Remote Code Execution Vulnerability allows attackers to trick users into running malicious files from the local machine to exploit the vulnerability.
You can refer here to the complete patch details for the full list of resolved vulnerabilities and advisories in the April 2023 Patch.
Microsoft strongly recommended installing these security updates for all Windows users to avoid the security risk and protect your Windows.
Security Patch Update By Other Vendors:
Along with Microsoft security updates, Several other vendors of the following issues security updates for their respective products and services.
- Apple released security updates to fix two actively exploited zero-days in iOS and macOS.
- Cisco released security updates for multiple products.
- Mozilla – Mozilla Foundation Security Advisories
- Adobe – Fixed vulnerabilities that could affect specific versions of Adobe products
- Fortinet released security updates for multiple products.
- Google released the Android April 2023 and Google Chrome security updates.
- SAP has released its April 2023 Patch Day updates.
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus
- Microsoft Security Updates – 9 Critical Flaws Fixed Along With 3 Zero-Days
- Microsoft & Fortra to Take Down Malicious Cobalt Strike Servers
- Microsoft OneNote Security Blocks 120 File Extensions to Tighten Security
- Microsoft Introduces New GPT-4 Tool to The Cybersecurity Battlefield
- CISA Released a New Tool to Detect Hacking Activity in Microsoft Cloud Environments