Microsoft patches three zero days, 77 security vulnerabilities in February Patch Tuesday

Microsoft has issued fixes for three actively exploited zero-day vulnerabilities in its latest Patch Tuesday update, equalling the number fixed in January and December combined.

Patches have been issued for a total of 77 flaws in the latest batch of updates, nine of which were classified as ‘critical’ due to their potential to allow remote code execution.

Described as an “unusually significant” round by security experts, the raft of updates includes fixes for bugs affecting Microsoft Windows, .NET Framework, Microsoft Office, SQL Server, Exchange Server, HoloLens, and several Azure services.

“This is an unusually significant round, yet this release is crucial and overdue,” said Richard Hollis, CEO at Risk Crew.

“The ‘critical’ patches addressing remote code execution alone are essential given the dramatic increase in work-from-home users. But the three addressing the zero-day CVEs are mission-critical in today’s threat landscape,” he added.

SQL Server updates

A total of six CVEs affecting the Microsoft SQL server were resolved in the latest round of updates. This marked the largest number of fixes for the SQL server in several years, security experts noted.

One of these, CVE-2023-21718, was rated critical. Microsoft said an attacker could exploit this vulnerability by “tricking an unauthenticated user into attempting to connect to a malicious SQL server databased via ODBC”.

“This could result in the database returning malicious data that might cause arbitrary code execution on the client,” the advisory warned.

Actively exploited vulnerabilities

Microsoft said it resolved a remote code execution vulnerability found in Windows Graphics Component. Tracked as CVE-2023-21823, this flaw has been actively exploited in the wild and affects Windows 10, Windows Server 2008, and later Windows editions.

The tech giant warned this vulnerability also affects Microsoft Office for iOS, Android, and 'Universal'.

If exploited, this vulnerability could allow an attacker to gain system privileges and execute commands, Microsoft said.

Security experts noted that the update for this vulnerability will be circulated via the Microsoft Store instead of via the usual process in Windows Update catalogue.

As such, customers with automatic updates disabled on the Microsoft Store will have to act fast to patch.

The Windows Common Log File System Driver was also found to contain an actively exploited vulnerability, Microsoft confirmed in its advisory.

This escalation of privilege flaw was rated as ‘important’ and affects Windows 10, Server 2008, and later Windows editions. The flaw also enabled attackers to gain system privileges.

Chris Goettl, VP of security products at Ivanti, said an escalation of privilege vulnerability such as this could be “used in combination with other vulnerabilities in an attack chain” and advised businesses to patch immediately.

Meanwhile, a particularly concerning security feature bypass in Microsoft Publisher, tracked as CVE-2023-21715, has also been patched in this latest round of updates, the company confirmed.

Rated as ‘important’, this flaw affects Microsoft 365 apps for Enterprise and has been actively exploited in the wild, allowing an attacker to bypass Office macros policies used to block untrusted or malicious files.

“The attack itself is carried out locally by a user with authentication to the targeted system,” Microsoft said in its advisory.

“An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.”