Cyber Defense Advisors

Microsoft (& Apple) Patch Tuesday, April 2023 Edition

Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.

On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.

Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6. If you use Apple devices and you don’t have automatic updates enabled (they are on by default), you should probably take care of that soon as detailed instructions on how to attack CVE-2023-28206 are now public.

Microsoft’s bevy of 100 security updates released today include CVE-2023-28252, which is a weakness in Windows that Redmond says is under active attack. The vulnerability is in the Windows Common Log System File System (CLFS) driver, a core Windows component that was the source of attacks targeting a different zero-day vulnerability in February 2023.

“If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago,” said Dustin Childs at the Trend Micro Zero Day Initiative. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware.”

According to the security firm Qualys, this vulnerability has been leveraged by cyber criminals to deploy Nokoyawa ransomware.

“This is a relatively new strain for which there is some open source intel to suggest that it is possibly related to Hive ransomware – one of the most notable ransomware families of 2021 and linked to breaches of over 300+ organizations in a matter of just a few months,” said Bharat Jogi, director of vulnerability and threat research at Qualys.

Jogi said while it is still unclear which exact threat actor is targeting CVE-2023-28252, targets have been observed in South and North America, regions across Asia and at organizations in the Middle East.

Satnam Narang at Tenable notes that CVE-2023-28252 is also the second CLFS zero-day disclosed to Microsoft by researchers from Mandiant and DBAPPSecurity (CVE-2022-37969), though it is unclear if both of these discoveries are related to the same attacker.

Seven of the 100 vulnerabilities Microsoft fixed today are rated “Critical,” meaning they can be used to install malicious code with no help from the user. Ninety of the flaws earned Redmond’s slightly less-dire “Important” label, which refers to weaknesses that can be used to undermine the security of the system but which may require some amount of user interaction.

Narang said Microsoft has rated nearly 90% of this month’s vulnerabilities as “Exploitation Less Likely,” while just 9.3% of flaws were rated as “Exploitation More Likely.” Kevin Breen at Immersive Labs zeroed in on several notable flaws in that 9.3%, including CVE-2023-28231, a remote code execution vulnerability in a core Windows network process (DHCP) with a CVSS score of 8.8.

“‘Exploitation more likely’ means it’s not being actively exploited but adversaries may look to try and weaponize this one,” Breen said. “Micorosft does note that successful exploitation requires an attacker to have already gained initial access to the network. This could be via social engineering, spear phishing attacks, or exploitation of other services.”

Breen also called attention to CVE-2023-28220 and CVE-2023-28219 — a pair of remote code execution vulnerabilities affecting Windows Remote Access Servers (RAS) that also earned Microsoft’s “exploitation more likely” label.

“An attacker can exploit this vulnerability by sending a specially crafted connection request to a RAS server, which could lead to remote code execution,” Breen said. While not standard in all organizations, RAS servers typically have direct access from the Internet where most users and services are connected. This makes it extremely enticing for attackers as they don’t need to socially engineer their way into an organization. They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”

For more details on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.