Security News > 2023 > February > Microsoft patches three exploited zero-days (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823)
The February 2023 Patch Tuesday is upon us, with Microsoft releasing patches for 75 CVE-numbered vulnerabilities, including three actively exploited zero-day flaws.
"The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," Microsoft explains.
"The Microsoft Store will automatically update affected customers," Microsoft says.
Microsoft did not share any details about the attacks in which these vulnerabilities are being exploited.
Childs advises admins to patch quickly CVE-2023-21716, a critical RCE in Microsoft Word that can be exploited by the system simply opening the Preview Pane.
A few Microsoft Exchange Server RCE bugs require the attacker to authenticate before exploitation, but given attackers' predilection for targeting Exchange servers, admins should also prioritize those patches.
News URL
Related news
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- Microsoft patches two actively exploited zero-days (CVE-2024-29988, CVE-2024-26234) (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-14 | CVE-2023-21716 | Unspecified vulnerability in Microsoft products Microsoft Word Remote Code Execution Vulnerability | 9.8 |