Microsoft delivers 75-count box of patches for Valentine's Day
Adobe, SAP, Intel, AMD, Android also show up with bouquet of fixes
Patch Tuesday Happy Patch Tuesday for February, 2023, which falls on Valentine's Day.
Microsoft is showering love, maybe, on IT teams with some 75 security patches, nine of which are rated "critical" and 66 "important," and three of which Redmond says are under active exploitation.
Interestingly enough, the trio being taken advantage of aren't the most critical vulnerabilities Microsoft has addressed this month. Of the three being exploited, two have a base CVSS severity score of 7.8 out of 10, while the third scores just 7.3. Five of the others flaws which earned a 9.8 CVSS score are decidedly worse.
Those five aren't being actively exploited, though, while three less severe ones are.
The first vulnerability under active attack, spotted by Mandiant, is a remote code execution bug in the Windows Graphics Component that would allow a miscreant to execute commands with system-level permissions.
The second is a bug in the Windows Common Log File System Driver and would allow an attacker to elevate their access to gain system privileges. Microsoft didn't share any details about the issue, unfortunately, but with it under active exploitation it's a good idea to install those patches.
The third under active exploit is serious - it could allow an attacker to bypass Office macro security policies - but Microsoft's own explanation of the vulnerability undermines its potential danger.
The attack has to be carried out by a local user who's already authenticated, Microsoft said. If the authenticated attacker can convince a victim to download and open a malicious file then the security hole can be exploited, otherwise it's not going to happen.
- Happy Valentine's Day: Here's the final nail in Internet Explorer's coffin
- Ransomware scum launch wave of attacks on critical, but old, VMWare ESXi vuln
- Microsoft sweeps up after breaking .NET with December security updates
- GPU slowdown earns Discord weird bug of the week
Far more interesting is the CVSS 9.8 vulnerability in Microsoft Office through which an intruder can use the Outlook Preview Pane to launch a remote code execution attack using a malicious RTF file that would allow an intruder to "gain access to execute commands within the application used to open" the file.
There's also an iSCSI Discovery Service vulnerability, also rated a 9.8, that could let an attacker gain RCE privileges on any 32-bit machine they can find iSCSI DS running on.
The remaining three critical vulnerabilities are all in Microsoft's Protected Extensible Authentication Protocol, which Trend Micro's Zero Day Initiative noted isn't used much anymore.
"This volume is relatively typical for a February release. However, it is unusual to see half of the release address remote code execution bugs," said Dustin Childs, ZDI's head of threat awareness.
Adobe mixes mud for some not-so-serious holes
Adobe has patched practically everything it makes this month, but none of the 28 CVEs it identified over the nine products being updated has an active exploit, with the company rating each update as something that can be installed at IT admin discretion.
Top of the list was Adobe Bridge, which had seven issues necessitating patches, including out of bounds read/write and a stack-based buffer overflow that could lead to arbitrary code execution or a memory leak.
Next on the score card was Photoshop, which Adobe noted five vulnerabilities for: An improper input validation bug, two out-of-bounds write issues and a pair of out-of-bounds read problems. Of the five, four could be used to perform arbitrary code execution, while the fifth can lead to a memory leak. Updates to Premier Rush were being pushed for the same reason.
FrameMaker is getting five vulnerabilities patched as well - all of which are similar to Photoshop's troubles aside from a use after free vulnerability, and four similar issue swere found in After Effects, too.
Lastly, ZDI noted that Adobe Substance 3D was also getting a patch, but not for any CVEs - it's a patch to address third-party library issues.
The rest of the V-day PT-day crew
SAP issued 21 new security notes today, the worst of them being a CVSS 8.8 privilege escalation vulnerability in SAP Start Service. Fortunately, that particular vulnerability requires the attacker to be authenticated as a local user.
Several other February security patches were also issued in the past few days/weeks, like the February 6 Android Security Bulletin that addressed three CVEs, one in Pixel devices and the other two in Qualcomm components. The Pixel device vulnerability wasn't explained, with Google only saying a patch for the issue would be "contained in the latest binary drivers for Pixel devices available from the Google Developer site."
In Apple world, macOS Ventura 13.2.1, iPadOS 16.3.1, and iOS 16.3.1, plus Safari 16.3 for macOS Big Sur and Monterey, were released this month to address various bugs including an exploited-in-the-wild flaw in WebKit as well as a hole that apps could use to gain kernel privileges.
Intel needs its own box for its bugs...
Intel dumped more than 30 security advisories on the world today, with updates and mitigations for folks to install or follow. Here's a quick summary of them:
CVE-2022-41614: The Intel ON Event Series Android application may leak information.
CVE-2022-41314: Some Intel Network Adapter installer software may allow escalation of privilege.
CVE-2021-33104: The Intel One Boot Flash Utility (OFU) software may be exploited to stop it working properly.
CVE-2022-38090: Intel's SGX technology, which is supposed to safeguard code and data, can be exploited to leak data.
CVE-2022-36369: The QATzip component of Intel's QuickAssist Technology (QAT) can be abused to escalate privileges.
CVE-2022-38056: The Intel Endpoint Management Assistant (EMA) can be abused to escalate privileges.
CVE-2022-27234: The Computer Vision Annotation Tool (CVAT) software maintained by Intel may leak data.
CVE-2022-27808: Some Intel Ethernet Controller Administrative Tools drivers for Windows can be abused to escalate privileges.
CVE-2022-36382: Some Intel Ethernet Controllers and Adapters can be malicious crashed.
CVE-2022-36397: Some Intel QuickAssist Technology (QAT) drivers can be exploited to elevate privileges.
CVE-2022-36416: Some Intel Ethernet VMware drivers can be exploited to elevate privileges.
CVE-2022-21163: The Crypto API Toolkit for Intel SGX can be exploited to elevate privileges.
CVE-2022-36287: The FPGA Crypto Service (FCS) Server software maintained by Intel can be crashed.
CVE-2022-33196: Some Intel Xeon Processors with SGX features can be exploited to elevate privileges.
Vulnerabilities in the Integrated Baseboard Management Controller (BMC) and OpenBMC firmware in some Intel platforms can be exploited to gain privileges or cause a denial of service (many CVEs).
CVE-2022-29523: The Open Cache Acceleration Software (CAS) maintained by Intel can be crashed.
Vulnerabilities in the Intel Media SDK can be exploited to gain privileges or crash software (many CVEs).
Vulnerabilities in the Intel System Usage Report (SUR) software can be exploited to gain privileges or crash software (many CVEs).
Vulnerabilities in the Intel FPGA SDK for OpenCL Intel Quartus Prime Pro software can be exploited to elevate privileges (two CVEs).
Vulnerabilities in the Intel Iris Xe MAX drivers for Windows can be exploited to leak data or crash (two CVEs).
Vulnerabilities in the Intel Battery Life Diagnostic Tool software can be exploited to gain privileges (three CVEs).
CVE-2022-30339: The Intel Integrated Sensor Solution may be crashed.
Vulnerabilities in the Intel Server Platform Services firmware can be exploited to achieve escalation of privilege (two CVEs).
Vulnerabilities in the BIOS firmware and Intel TXT Secure Initialization (SINIT) Authenticated Code Modules (ACM) for some Intel processors may result in escalation of privilege (many, many CVEs).
Vulnerabilities in the Intel Quartus Prime Pro and Standard edition software may be exploited to achieve escalation of privilege or information disclosure (many CVEs).
CVE-2022-21216: Some Intel Atom and Xeon Scalable Processors can be exploited to gain privileges.
Bugs in the Intel SGX SDK can be exploited to leak data (two CVEs).
Vulnerabilities in some Intel oneAPI Toolkits may allow escalation of privilege (many CVEs).
AMD emitted updates on two security issues in its products. CVE-2022-27672 is another one of those Spectre-style data-leaking speculative-execution flaws involving hardware threads and virtualization in some of its Ryzen and Epyc processors.
If the conditions are right, one thread may be able to extract information from another thread that should be off limits. AMD reckons this will be hard to exploit, and that it's something for hypervisors and operating systems to address.
"AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges," the Ryzen designer explained.
"AMD is not aware of any actual real-world exploits based on this behavior."
Meanwhile, CVE-2022-27677 is a privilege-escalation vulnerability in AMD's Ryzen Master tool that is used for tuning system performance. This bug can be exploited during installation of this software to gain admin-level control over the box. ®