Security News > 2023 > February > Microsoft patches three exploited zero-days (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823)

The February 2023 Patch Tuesday is upon us, with Microsoft releasing patches for 75 CVE-numbered vulnerabilities, including three actively exploited zero-day flaws.

"The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," Microsoft explains.

"The Microsoft Store will automatically update affected customers," Microsoft says.

Microsoft did not share any details about the attacks in which these vulnerabilities are being exploited.

Childs advises admins to patch quickly CVE-2023-21716, a critical RCE in Microsoft Word that can be exploited by the system simply opening the Preview Pane.

A few Microsoft Exchange Server RCE bugs require the attacker to authenticate before exploitation, but given attackers' predilection for targeting Exchange servers, admins should also prioritize those patches.

News URL

https://www.helpnetsecurity.com/2023/02/14/microsoft-patches-three-exploited-zero-days-cve-2023-21715-cve-2023-23376-cve-2023-21823/