Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs


The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.



Microsofts Patch Tuesday security update for April 2023 contains patches for 97 CVEs, including one zero-day bug under active exploit in ransomware attacks, another thats a reissue of a fix for a flaw from 2013 that a threat actor recently exploited in a supply chain attack on 3CX, and a wormable bug rated critical in severity.
Microsoft identified a total of seven of the bugs it fixed this month as being of critical severity, which typically means organizations need to make them a top priority from a patch implementation standpoint.
Nearly half, or 45, of the vulnerabilities in the April update enable remote code execution (RCE), a significant uptick from the average of 33 RCE bugs that Microsoft has reported in each of the previous three months. Even so, the company rated nearly 90% of the CVEs in the latest batch as bugs that cyberattackers are less likely to exploit — just 9% are characterized as flaws that threat actors are more likely to exploit.
The zero-day bug, tracked as
CVE-2023-28252
, is an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS) that affects all supported versions of Windows 10 and Windows Server. It is the second CLFS zero day in recent months — the other was
CVE-2022-37969
— and it gives adversaries who already have access to the platform a way to gain highly privileged system-level privileges. 
This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system, said Gina Geisel, a security researcher at Automox. To exploit the flaw, an attacker would need to log in to a system and then execute a malicious binary to elevate privileges. 
Automox recommends patch deployment within 24 hours since this is an actively exploited zero-day, Geisel said in emailed comments to Dark Reading.
In a blog post issued in tandem with Microsofts update, Kaspersky said its researchers had observed a threat actor
exploiting CVE-2023-28252 to deliver Nokoyawa ransomware
on systems belonging to small and midsized organizations in North America, the Middle East, and Asia. The security vendors analysis shows that the exploits are similar to already-known driver exploits targeting CLFS. 
The exploit was highly obfuscated with more than 80% of its code being junk elegantly compiled into the binary, according to the analysis. Kaspersky researchers said they reported the bug to Microsoft after observing an adversary using it in ransomware attacks in February.
Another patch in Microsofts April update that researchers are recommending organizations pay attention to is
CVE-2013-3900
, a 10-year-old signature validation vulnerability in the Windows WinVerifyTrust function. A threat actor — believed to be North Koreas Lazarus Group — recently exploited the flaw in a
supply-chain attack on 3CX
that resulted in malware landing on systems belonging to users of the companys video-conferencing software. 
When Microsoft released the patch in 2013, the company had decided to make it an opt-in patch because of the potential for the fix to cause problems for some organizations. With the April security update, Microsoft has made the fix available for more platforms and provide more recommendations for organizations on how to address the issue. 
Definitely take the time to review all of the recommendations, including the information on the
Microsoft Trusted Root Program
, and take the actions needed to protect your environment, Dustin Childs, researcher with
Trend Micros Zero Day Initiative (ZDI)
said in a blog post.
Researchers identified two of the critical vulnerabilities in Aprils batch as needing immediate action. One of them is
CVE-2023-21554

The bug affects Microsoft Message Queuing (MSMQ) technology and gives attackers a way to gain RCE by sending a specially crafted MSMQ packet to a MSMQ server. The vulnerability affects Windows 10, 11, and Server 2008-2022 systems that have the message queuing feature enabled on their systems, Automox researcher Peter Pflaster said in emailed comments. Administrators should consider applying Microsoft patch for the issue ASAP, since the company has noted that threat actors are more likely to exploit the vulnerability.
Thats just one of two critical vulnerabilities affecting the Windows Message Queuing system that Microsoft fixed this week. The other is
CVE-2023-28250
, a vulnerability in Windows Pragmatic Multicast that, like CVE-2023-21554, has a base score of 9.8 and is potentially wormable. 
This patch Tuesday MSFT fixed some critical flaws, of which we would recommend organizations to prioritize patching vulnerabilities those that are actively being exploited and wormable, said Bharat Jogi, director of vulnerability and threat Research, at Qualys.
The other critical vulnerability that needs immediate fixing is
CVE-2023-28231
, a RCE bug in the DHCP Server service. Microsoft has assessed the bug as another issue that attackers are more likely to try and weaponize. To exploit the bug, an attacker would need prior access on a network. But once on it, the adversary could initiate remote code execution on the DHCP server, according to Kevin Breen, director of cyber threat research at Immersive Labs. 
Microsoft recommends that DHCP services are not installed on Domain Controllers, however, smaller organizations will commonly see DC and DHCP services co-located. In this instance the impact could be a lot higher, Breen warned in emailed comments. Attackers that have control over DHCP servers could wreak considerable havoc on the network including stealing credentials for software-as-a-service (SaaS) products, or to carry out machine-in-the-middle (MITM) attacks, he noted.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs