Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”

According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only three vulnerabilities were seen in the wild. The most serious one is CVE-2023-21823 a Windows Graphics Component Remote Code Execution Vulnerability. Followed by CVE-2023-21715 a Microsoft Publisher Security Features Bypass Vulnerability which we are describing below and CVE-2023-23376 a local Windows Common Log File System Driver Elevation of Privilege Vulnerability.

Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likely” to be exploited are CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692. These are remote code execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Almost all Windows versions are vulnerable, including the latest Windows 11.

According to Microsoft the other “Critical“ vulnerabilities are “less likely” to be exploited.  CVE-2023-21716 is a critical Microsoft Word Remote Code Execution Vulnerability which allows an unauthenticated attacker to gain access to execute commands within the application used to open the malicious file.

Developers are at risk due to CVE-2023-21808 a .NET and Visual Studio Remote Code Execution Vulnerability and CVE-2023-21815 also a Visual Studio Remote Code Execution Vulnerability. Both can lead to Arbitrary Code Execution (ACE) .

The last “Critical“ vulnerability which we want to mention is CVE-2023-21803. The vulnerability exists in the way that the Microsoft iSCSI Discovery Service handles certain requests. An attacker might be able to send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service on 32-bit machines.

The "important" flagged Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21715 is something we want to highlight. This vulnerability allows an attacker to bypass the Mark of the Web (MoTW) policy which usually blocks macro execution for documents originating from the internet. The user would have be enticed to open a malicious file in Microsoft Publisher by the attacker. We highly recommend that users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight three other “Important“ Remote Code Execution vulnerabilities which are affecting the Microsoft Exchange Server.

  • CVE-2023-21529 - Attack complexity low , attacker needs to be an authenticated user
  • CVE-2023-21706 - Attack complexity low , attacker needs to be an authenticated user
  • CVE-2023-21707 - Attack complexity low , attacker needs to be an authenticated user
  • CVE-2023-21710 - Attack complexity low , attacker needs to be an authenticated administrator

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes the Windows Kerberos and Active Directory services and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57907, 61312-61315, 61320, 61321, 61357, 61359. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300416, 300417, 300420, 300438, 300439.