Microsoft Targets 97 Flaws in April Security Update
Tuesday saw the release of this month's Microsoft security update -- featuring fixes for 97 flaws, including one zero-day exploit.
As with every month, IT should prioritize applying the zero-day flaw fix first. CVE-2023-28252 addresses an elevation of privilege issue in the Windows Common Log File System (CLFS) that could lead to an attacker gaining SYSTEM privileges. While the flaw has not been publicly disclosed, Microsoft security experts have seen attackers taking advantage of the exploit in the wild.
If this month's CLFS fix looks familiar, it might be because Microsoft issued a similar zero-day patch in February for a similar issue. While the granular nature of these two vulnerabilities have not been disclosed, security expert Dustin Childs of Zero Day Initiative says he believes this month's CLFS item addresses the very same problem as February's fix.
"This is the one bug under active attack this month, and if it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago," wrote Childs in a blog post. To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix."
Security experts at Kaspersky say they have observed the sophisticated cybercriminal group known for distributing the currently popular advance persistent threat (APT) Nokoyawa ransomware as the group primarily targeting this CLFS flaw, which is unusual, according to the company.
We see a significantly increasing level of sophistication among cybercriminal groups," wrote Kaspersky's Boris Larin, in a blog post. "We don’t often see APTs using zero-day exploits in their attacks, and now there are financially motivated cybercriminal groups that have the resources to acquire exploits for unknown vulnerabilities and routinely use them in attacks."
Microsoft has not commented on if the group spotted by Kaspersky is the only one currently taking advantage of the attack.
Once IT has applied this month's zero-day fix, attention should be turned to April's seven "critical" rated bulletins, highlighted by a Microsoft Message Queuing (MSMQ) remote code execution vulnerability (CVE-2023-21554) that has a high Common Vulnerability Scoring System (CVSS) of 9.8 (out of a 10-point scale).
Microsoft said that attackers could gain the ability to inject harmful code on a targeted system by sending a "specially crafted malicious MSMQ packet to a MSMQ server." While Microsoft has yet to see this hole being exploited in the wild, the high CVSS rating indicates that attacks against unpatched systems could be expected shortly. Microsoft also said that disabling the Windows messaging queuing service can mitigate attack in unpatched systems.
The remaining six April critical bulletin items include:
- CVE-2023-28250: Remote code execution vulnerability in Windows Pragmatic General Multicast (PGM).
- CVE-2023-28232: Remote code execution vulnerability in Windows Point-to-Point Tunneling Protocol.
- CVE-2023-28291: Remote code execution vulnerability in Windows' Raw Image Extension.
- CVE-2023-28220: Remote code execution vulnerability in Microsoft's Layer 2 Tunneling Protocol.
- CVE-2023-28219: Remote code execution vulnerability in Microsoft's Layer 2 Tunneling Protocol.
- CVE-2023-28231: Remote code execution vulnerability in DHCP Server Service.
The full list of this month's bulletins can be found here.