Welcome to the Softcat Patch Tuesday roundup for April 2023, where we cover major patches released this month - focusing on Adobe, Apple, and Microsoft.
Microsoft Patch Tuesday
Microsoft released 100 new patches this month, addressing vulnerabilities across various products such as Microsoft Windows, Windows Components, Office, Office Components, Windows Defender, SharePoint Server, Windows Hyper-V, PostScript Printer, and Microsoft Dynamics. Among these patches, seven are rated Critical, and 90 are rated Important. Three of these, relating to the Edge browser, had previously been released as CVEs and have now been documented.
Outlined below are three of the more critical vulnerabilities detailed in this month’s patch Tuesday:
- CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability: This is the only bug under active attack this month. It's an elevation of privilege vulnerability that attackers can exploit to take over a target completely. It's crucial to test and deploy this patch quickly to ensure system security.
- CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability: This bug has a CVSS score of 9.8 and is rated as Microsoft's highest exploitability vulnerability. It allows a remote, unauthenticated attacker to execute their code with elevated privileges on affected servers with the Message Queuing service enabled. The best course of action is to test and deploy the update as soon as possible.
- CVE-2023-28231 - DHCP Server Service Remote Code Execution Vulnerability: This vulnerability affects the DHCP Server Service and is exploited utilising specially crafted RPC calls. The vulnerability is considered Critical (8.8 CVSS) and should be patched immediately. The attack complexity is low, and no privileges or user interaction are required meaning this could be easily leveraged, however attacker would need access to a restricted network to successfully exploit this vulnerability.
Adobe released six bulletins addressing 56 CVEs across Acrobat and Reader, Adobe Digital Editions, InCopy, Substance 3D Designer, Substance 3D Stager, and Adobe Dimension. The most crucial update is for Reader, which fixes 16 CVEs, with 14 of them potentially leading to arbitrary code execution. None of the bugs fixed this month are publicly known or under active attack at the time of release, with a deployment priority rating of 3, although this does not mean that patching should be delayed.
Apple patched two bugs under active attack: CVE-2023-28205 (Use-After-Free vulnerability in WebKit) and CVE-2023-28206 (privilege escalation in the IOSurfaceAccelerator component). Both vulnerabilities can be found in macOS and iOS, with the UAF vulnerability also found in Safari. Although Apple doesn't explicitly state they were used in conjunction, they were reported by the same researchers at the same time, suggesting their combined use.
Cisco have released 18 security advisories with two CVEs rated Critical (CVE-2022-20812, CVE-2022-20813) and five rated High (CVE-2023-20121, CVE-2023-20122, CVE-2023-20117, CVE-2023-20128, CVE-2023-20102.