High Threat Security Alert (A23-02-13): Multiple Vulnerabilities in Microsoft Products (February 2023)


 

Published on: 15 February 2023

  
  

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:
https://msrc.microsoft.com/update-guide/releaseNote/2023-Feb

Reports indicated that the vulnerabilities (CVE-2023-21715, CVE-2023-21823 and CVE-2023-23376) in Microsoft Windows and Server as well as Microsoft Office are being exploited in the wild. In addition, multiple remote code execution vulnerabilities (CVE-2023-21689, CVE-2023-21690, CVE-2023-21692, CVE-2023-21716 and CVE-2023-21803) are also at a high risk of exploitation. System administrators and users are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • Microsoft Windows 10, 11
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
  • Microsoft Exchange Server 2013, 2016, 2019
  • Microsoft Office 2019 for Mac, LTSC 2021, LTSC for Mac 2021
  • Microsoft Office for Android, for iOS, for Universal
  • Microsoft Office Online Server
  • Microsoft Office Web Apps Server 2013
  • Microsoft Word 2013, 2013 RT, 2016
  • Microsoft 365 Apps for Enterprise
  • Microsoft Dynamics 365 (on-premises) version 9.0, 9.1
  • Microsoft Dynamics 365 Unified Service Desk
  • Microsoft SharePoint Foundation 2013
  • Microsoft SharePoint Enterprise Server 2013, 2016
  • Microsoft SharePoint Server 2019, Subscription Edition
  • SharePoint Server Subscription Edition Language Pack
  • Microsoft SQL Server 2014, 2016, 2017, 2019, 2022
  • Microsoft Visual Studio 2017, 2019, 2022
  • Microsoft .NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1
  • .NET 6.0, 7.0
  • Azure App Service on Azure Stack Hub
  • Azure Data Box Gateway
  • Azure DevOps Server 2020.1.2, 2022
  • Azure Machine Learning
  • Azure Stack Edge
  • Microsoft Defender for IoT
  • Microsoft Defender Security Intelligence Updates
  • Microsoft OneNote for Android
  • Power BI Report Server January 2023
  • HoloLens 1
  • Print 3D
  • 3D Builder

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, denial of service, elevation of privilege, information disclosure, security feature bypass and spoofing.

 

Recommendation:

Patches for affected products are available from the Windows Update / Microsoft Update Catalog. System administrators and users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://msrc.microsoft.com/update-guide/releaseNote/2023-Feb
  • https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-february-2023
  • https://www.cisa.gov/uscert/ncas/current-activity/2023/02/14/microsoft-releases-february-2023-security-updates
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15126
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21528 (to CVE-2023-21529)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21553
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21564
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21566 (to CVE-2023-21568)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21570 (to CVE-2023-21573)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21684 (to CVE-2023-21695)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21697
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21699 (to CVE-2023-21707)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21710
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21713 (to CVE-2023-21718)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21721 (to CVE-2023-21722)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21777 (to CVE-2023-21778)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21797 (to CVE-2023-21809)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21811 (to CVE-2023-21813)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21815 (to CVE-2023-21820)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21822 (to CVE-2023-21823)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23376 (to CVE-2023-23379)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23381 (to CVE-2023-23382)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23390
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41953


Tag: Microsoft , Windows , Windows Server , Exchange Server , Microsoft Office , Office Online Server , Microsoft Office Web Apps , Word , Microsoft 365 Apps , Dynamics 365 , SharePoint , SQL Server , Visual Studio , .NET Framework , .NET , Azure App Service , Azure Data Box Gateway , Azure DevOps Server , Azure Machine Learning , Azure Stack Edge , Microsoft Defender , OneNote , Power BI Report , HoloLens , Print 3D , 3D Builder
Tags