Security News > 2023 > February > Microsoft patches three exploited zero-days (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823)
The February 2023 Patch Tuesday is upon us, with Microsoft releasing patches for 75 CVE-numbered vulnerabilities, including three actively exploited zero-day flaws.
"The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," Microsoft explains.
"The Microsoft Store will automatically update affected customers," Microsoft says.
Microsoft did not share any details about the attacks in which these vulnerabilities are being exploited.
Childs advises admins to patch quickly CVE-2023-21716, a critical RCE in Microsoft Word that can be exploited by the system simply opening the Preview Pane.
A few Microsoft Exchange Server RCE bugs require the attacker to authenticate before exploitation, but given attackers' predilection for targeting Exchange servers, admins should also prioritize those patches.
News URL
Related news
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft fixes exploited zero-day (CVE-2024-49138) (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-14 | CVE-2023-21716 | Unspecified vulnerability in Microsoft products Microsoft Word Remote Code Execution Vulnerability | 9.8 |