高危保安警報 (A23-02-13): Microsoft 產品多個漏洞 (2023年2月)

描述:

Microsoft 發布了安全性更新，以應對影響數個 Microsoft 產品或元件的多個漏洞。有關安全性更新的列表，請參考以下網址：
https://msrc.microsoft.com/update-guide/releaseNote/2023-Feb

有報告指 Microsoft Windows、Server 以及 Microsoft Office 的漏洞 (CVE-2023-21715、CVE-2023-21823 及 CVE-2023-23376) 正受到攻擊。另外，多個遠端執行程式碼漏洞 (CVE-2023-21689、CVE-2023-21690、CVE-2023-21692、CVE-2023-21716 及 CVE-2023-21803) 正處於被攻擊的高風險。系統管理員及用戶應立即為受影響的系統安裝修補程式，以減低受到網絡攻擊的風險。

受影響的系統:

• Microsoft Windows 10, 11
• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
• Microsoft Exchange Server 2013, 2016, 2019
• Microsoft Office 2019 for Mac, LTSC 2021, LTSC for Mac 2021
• Microsoft Office for Android, for iOS, for Universal
• Microsoft Office Online Server
• Microsoft Office Web Apps Server 2013
• Microsoft Word 2013, 2013 RT, 2016
• Microsoft 365 Apps for Enterprise
• Microsoft Dynamics 365 (on-premises) version 9.0, 9.1
• Microsoft Dynamics 365 Unified Service Desk
• Microsoft SharePoint Foundation 2013
• Microsoft SharePoint Enterprise Server 2013, 2016
• Microsoft SharePoint Server 2019, Subscription Edition
• SharePoint Server Subscription Edition Language Pack
• Microsoft SQL Server 2014, 2016, 2017, 2019, 2022
• Microsoft Visual Studio 2017, 2019, 2022
• Microsoft .NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1
• .NET 6.0, 7.0
• Azure App Service on Azure Stack Hub
• Azure Data Box Gateway
• Azure DevOps Server 2020.1.2, 2022
• Azure Machine Learning
• Azure Stack Edge
• Microsoft Defender for IoT
• Microsoft Defender Security Intelligence Updates
• Microsoft OneNote for Android
• Power BI Report Server January 2023
• HoloLens 1
• Print 3D
• 3D Builder

影響:

成功利用這些漏洞可以導致遠端執行程式碼、服務被拒絕、權限提升、泄漏資訊、繞過保安功能及仿冒詐騙，視乎攻擊者利用哪個漏洞而定。

建議:

受影響產品的修補程式可在 Windows Update 或 Microsoft Update Catalog 獲取。受影響系統的系統管理員及用戶應遵從產品供應商的建議，立即採取行動以降低風險。

進一步資訊:

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Feb
• https://www.hkcert.org/tc/security-bulletin/microsoft-monthly-security-update-february-2023
• https://www.cisa.gov/uscert/ncas/current-activity/2023/02/14/microsoft-releases-february-2023-security-updates
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15126
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21528 (to CVE-2023-21529)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21553
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21564
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21566 (to CVE-2023-21568)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21570 (to CVE-2023-21573)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21684 (to CVE-2023-21695)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21697
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21699 (to CVE-2023-21707)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21710
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21713 (to CVE-2023-21718)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21721 (to CVE-2023-21722)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21777 (to CVE-2023-21778)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21797 (to CVE-2023-21809)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21811 (to CVE-2023-21813)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21815 (to CVE-2023-21820)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21822 (to CVE-2023-21823)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23376 (to CVE-2023-23379)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23381 (to CVE-2023-23382)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23390
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41953