On February 14th, 2023, Microsoft released a patch for multiple vulnerabilities including CVE-2023-21715, CVE-2023-23376, and CVE-2023-21823. The first, CVE-2023-21715, can enable an attacker to bypass a Microsoft Publisher security policy that disables macros by default. In the case of a successful social engineering or phishing attack, this would let attackers use that machine as an initial foothold in an environment to then spread from. The second vulnerability, CVE-2023-23376, was uncovered by the Microsoft Security Intelligence Center (MSTIC). This vulnerability can be used to gain SYSTEM privileges and could be used in tandem with an RCE exploit to gain complete control over a machine. Finally, CVE-2023-21823, which was found by security researchers at Mandiant, exploits a graphical component for remote code execution. The exploit for this vulnerability has a low level of complexity, and while a proof-of-concept is not yet public, it could allow for an attacker to takeover an unpatched machine.
Analyst Notes
Due to the risks involved with these vulnerabilities, these updates should be tested and pushed to production environments as soon as policies allow. These attacks require initial access to be effective, and phishing emails are the most prominent method of gaining that first foothold. Ensuring that users know the risks of phishing emails and how to detect them can help protect an organization. Remote Code Execution and Privilege Escalation vulnerabilities are inevitable with the increasing complexity of modern IT systems, but a mature information security program can help ensure business continuity in the worst-case scenario.
Microsoft patches three exploited zero-days (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21823
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23376
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21715
