75 CVEs addressed through the 2023 February Patch Tuesday
- Microsoft has released the February 2023 batch of security updates.
- This month, the tech giant addressed a total of 75 vulnerabilities.
- Out of the 75, nine are rated Critical and 66 are rated Important.
Valentine’s Day is upon us, but not everything comes down to flowers and chocolates. There are those who eagerly await Microsoft’s Patch Tuesday rollout/
And, as you know, it’s the second Tuesday of the month, which means that Windows users are looking towards the tech giant in hopes that some of the flaws they’ve been struggling with will finally get fixed.
We have already taken the liberty of providing the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk CVEs again.
For February, Microsoft released 75 new patches, which is still more than some people were expecting for the second month of 2023.
These software updates address CVEs in:
- Windows and Windows components
- Office and Office Components
- Exchange Server
- .NET Core and Visual Studio Code
- 3D Builder and Print 3D
- Microsoft Azure and Dynamics 365
- Defender for IoT and the Malware Protection Engine
- Microsoft Edge (Chromium-based)
You probably want to know more on the matter, so let’s dive right into it and see what all the fuss is about this month.
Microsoft released 75 new important security patches
January 2023 was a pretty packed month in terms of security patches, so developers decided to take a breather and release fewer updates.
You might like to know that, out of the 75 new CVEs released, only nine are rated Critical and 66 are rated Important in severity by security experts.
Furthermore, keep in mind that this is one of the largest volumes we’ve seen from Microsoft for a February release in quite some time.
We have to say that it is a bit unusual to see half of the Patch Tuesday release address remote code execution (RCE) bugs.
Remember that none of the new CVEs released this month are listed as publicly known, but there are two bugs listed as being exploited in the wild at the time of release.
That being said, let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack.
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
| CVE-2023-21715 | Microsoft Office Security Feature Bypass Vulnerability | Important | 7.3 | No | Yes | SFB |
| CVE-2023-23376 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | Yes | EoP |
| CVE-2023-21808 | .NET and Visual Studio Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2023-21689 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2023-21690 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2023-21692 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2023-21718 | Microsoft SQL ODBC Driver Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
| CVE-2023-21716 | Microsoft Word Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2023-23381 | Visual Studio Code Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2023-21815 | Visual Studio Remote Code Execution Vulnerability | Critical | 8.4 | No | No | RCE |
| CVE-2023-21803 | Windows iSCSI Discovery Service Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
| CVE-2023-21722 | .NET Denial of Service Vulnerability | Important | 4.7 | No | No | DoS |
| CVE-2023-23377 | 3D Builder Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-23390 | 3D Builder Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-21777 | Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability | Important | 8.7 | No | No | EoP |
| CVE-2023-21703 | Azure Data Box Gateway Remote Code Execution vulnerability | Important | 6.5 | No | No | RCE |
| CVE-2023-21564 | Azure DevOps Server Cross-Site Scripting Vulnerability | Important | 7.1 | No | No | XSS |
| CVE-2023-21553 | Azure DevOps Server Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2023-23382 | Azure Machine Learning Compute Instance Information Disclosure Vulnerability | Important | Unknown | No | No | Info |
| CVE-2023-21687 | HTTP.sys Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2023-21809 | Microsoft Defender for Endpoint Security Feature Bypass Vulnerability | Important | 7.8 | No | No | SFB |
| CVE-2023-23379 | Microsoft Defender for IoT Elevation of Privilege Vulnerability | Important | 6.4 | No | No | EoP |
| CVE-2023-21807 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.8 | No | No | XSS |
| CVE-2023-21570 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.4 | No | No | XSS |
| CVE-2023-21571 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.4 | No | No | XSS |
| CVE-2023-21572 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 6.5 | No | No | XSS |
| CVE-2023-21573 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.4 | No | No | XSS |
| CVE-2023-21778 | Microsoft Dynamics Unified Service Desk Remote Code Execution | Important | 8.3 | No | No | RCE |
| CVE-2023-21706 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21710 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
| CVE-2023-21707 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21529 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21704 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-21797 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21798 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21714 | Microsoft Office Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2023-21721 | Microsoft OneNote Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
| CVE-2023-21693 | Microsoft PostScript Printer Driver Information Disclosure | Important | 5.7 | No | No | Info |
| CVE-2023-21684 | Microsoft PostScript Printer Driver Remote Code Execution | Important | 8.8 | No | No | RCE |
| CVE-2023-21801 | Microsoft PostScript Printer Driver Remote Code Execution | Important | 7.8 | No | No | RCE |
| CVE-2023-21701 | Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-21691 | Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
| CVE-2023-21695 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2023-21717 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
| CVE-2023-21568 | Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
| CVE-2023-21705 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21713 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21528 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-21799 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21685 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21686 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2023-21688 | NT OS Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-21806 | Power BI Report Server Spoofing Vulnerability | Important | 8.2 | No | No | Spoofing |
| CVE-2023-23378 | Print 3D Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-21567 | Visual Studio Denial of Service Vulnerability | Important | 5.6 | No | No | DoS |
| CVE-2023-21566 | Visual Studio Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-21816 | Windows Active Directory Domain Services API Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-21812 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-21820 | Windows Distributed File System (DFS) Remote Code Execution Vulnerability | Important | 7.4 | No | No | RCE |
| CVE-2023-21694 | Windows Fax Service Remote Code Execution Vulnerability | Important | 6.8 | No | No | RCE |
| CVE-2023-21823 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-21804 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-21822 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-21800 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-21697 | Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability | Important | 6.2 | No | No | Info |
| CVE-2023-21699 | Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability | Important | 5.3 | No | No | Info |
| CVE-2023-21700 | Windows iSCSI Discovery Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-21811 | Windows iSCSI Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-21702 | Windows iSCSI Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-21817 | Windows Kerberos Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2023-21802 | Windows Media Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-21805 | Windows MSHTML Platform Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2023-21813 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-21819 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2023-21818 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2019-15126 * | MITRE: CVE-2019-15126 Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device | Medium | 3.1 | No | No | Info |
Note that there are three CVSS 9.8 bugs in Microsoft’s Protected Extensible Authentication Protocol (PEAP), but it doesn’t seem that this protocol is used much anymore.
Frankly, we find CVSS 9.8 bug in the iSCSI Discovery Service a lot more alarming, as data centers with storage area networks (SANs) should definitely check with their vendors to see if their SAN is impacted by the RCE vulnerability.
Please take into consideration the fact that the bug in SQL would require someone to connect to a malicious SQL server via ODBC.
There are no Print Spooler bugs getting fixed this month, but there are two bugs in the PostScript Printer Driver that could allow an authenticated attacker to take over a system sharing a printer.
Actually, there are quite a few fixes for SQL Server, and exploiting these would require an affected system to connect to a malicious SQL Server, typically through ODBC.
Experts say that, while that seems unlikely, they are worried about the various servicing scenarios between all the available versions of SQL Server.
We also have to mention the bug in Azure Data Box Gateway, which requires high privileges to exploit, but that’s not the case for Azure DevOps Server vulnerability.
To get access, an attacker only needs to have only Run access to the pipeline, but not every pipeline is vulnerable.
Unfortunately, the tech giant doesn’t provide information on how to distinguish the affected and non-affected pipelines.
The Dynamics bug does require authentication, an attacker might be able to call the target’s local files in the Resources directory and execute Windows commands that are outside of the Dynamics application.
There are also a couple of RCE bugs, but they do allow us to remind you the Fax Service is still a thing, so the final RCE bug is the lone Moderate-rated bug this month for Edge (Chromium-based).
Feel free to check each individual CVE and find out more about what it means, how it manifests, and what scenarios can malicious third parties use to exploit them.
Have you found any other issues after installing this month’s security updates? Share your experience with us in the comments section below.
