Yet another Patch Tuesday has rolled out, addressing a total of 97 security vulnerabilities in various Microsoft products.
April 2023 Patch Tuesday: What Has Been Patched?
This Tuesday, Microsoft released a set of 97 security updates to address various flaws impacting its software products, one of which is being used in ransomware attacks. Of those 97, seven are rated Critical, 90 Important, and 45 are remote code execution flaws.
In the past month, Microsoft also fixed 26 vulnerabilities in its Edge browser. The actively exploited flaw is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver. Exploiting this vulnerability would allow an attacker to gain SYSTEM privileges, and it is the fourth privilege escalation flaw in the CLFS component that has been abused in the past year after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). Since 2018, at least 32 vulnerabilities have been identified in CLFS.
CVE-2023-28252 Exploited by Ransomware
According to Kaspersky, a cybercrime group has taken advantage of CVE-2023-28252, an out-of-bounds write vulnerability that is triggered when the base log file is manipulated, to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.
This group is known for its extensive use of various, yet related, Common Log File System (CLFS) driver exploits, Kaspersky said. Evidence suggests that the same exploit author was responsible for their development. Since June 2022, five different exploits have been identified as being used in attacks on retail and wholesale, energy, manufacturing, healthcare, software development and other industries. Using the CVE-2023-28252 zero-day, this group attempted to deploy the Nokoyawa ransomware as the final payload.
As a result of these attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has added the Windows zero-day to its Known Exploited Vulnerabilities (KEV) catalog, and has ordered Federal Civilian Executive Branch (FCEB) agencies to apply security measures to their systems by May 2, 2023.
Other Fixed Flaws
A number of other critical remote code execution issues have also been addressed, including vulnerabilities impacting the DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ). Among the vulnerabilities patched is CVE-2023-21554 (CVSS score: 9.8), dubbed QueueJumper by Check Point, which could allow an attacker to send a specially crafted malicious MSMQ packet to an MSMQ server and gain control of the process, executing code without authorization. In addition, two other MSMQ-related flaws, CVE-2023-21769 and CVE-2023-28302 (CVSS scores: 7.5), can be exploited to cause denial-of-service (DoS) conditions like service crashes and Windows Blue Screen of Death (BSoD).
What Is Patch Tuesday?
On the second Tuesday of each month, Microsoft releases security and other software patches for its products. This is known as “Patch Tuesday” or “Update Tuesday” or “Microsoft Tuesday”. It is an important part of Microsoft’s security plan, as it helps users remain up-to-date with the newest security fixes and updates.