Microsoft Points Patches for 97 Flaws, Together with Lively Ransomware Exploit

Apr 12, 2023Ravie LakshmananPatch Tuesday / Software program Updates

Microsoft Patch Tuesday

It is the second Tuesday of the month, and Microsoft has launched one other Slot set of safety updates to repair a total of 97 flaws impacting its software program, one among which has been actively exploited in ransomware assaults within the wild.

Seven of the 97 bugs are rated Vital and 90 are rated Necessary in severity. Curiously, 45 of the shortcomings are distant code execution flaws, adopted by 20 elevation of privilege vulnerabilities. The updates additionally observe fixes for 26 vulnerabilities in its Edge browser that have been launched over the previous month.

The safety flaw that is come underneath lively exploitation is CVE-2023-28252 (CVSS rating: 7.8), a privilege escalation bug within the Home windows Frequent Log File System (CLFS) Driver.

“An attacker who efficiently exploited this vulnerability may achieve SYSTEM privileges,” Microsoft mentioned in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the difficulty.

CVE-2023-28252 is the fourth privilege escalation flaw within the CLFS element that has come underneath lively abuse up to now yr alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). A minimum of 32 vulnerabilities have been recognized in CLFS since 2018.

Based on Russian cybersecurity agency Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware in opposition to small and medium-sized companies within the Center East, North America, and Asia.

“CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that may be exploited when the system makes an attempt to increase the metadata block,” Larin said. “The vulnerability will get triggered by the manipulation of the bottom log file.”

In mild of ongoing exploitation of the flaw, CISA added the Home windows zero-day to its catalog of Recognized Exploited Vulnerabilities (KEV), ordering Federal Civilian Govt Department (FCEB) companies to safe their programs by Might 2, 2023.

Active Ransomware Exploit

Additionally patched are essential distant code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Uncooked Picture Extension, Home windows Level-to-Level Tunneling Protocol, Home windows Pragmatic Common Multicast, and Microsoft Message Queuing (MSMQ).

The MSMQ bug, tracked as CVE-2023-21554 (CVSS rating: 9.8) and dubbed QueueJumper by Examine Level, may result in unauthorized code execution and take over a server by sending a specifically crafted malicious MSMQ packet to an MSMQ server.

“The CVE-2023-21554 vulnerability permits an attacker to probably execute code remotely and with out authorization by reaching the TCP port 1801,” Examine Level researcher Haifei Li said. “In different phrases, an attacker may achieve management of the method by way of only one packet to the 1801/tcp port with the exploit, triggering the vulnerability.”

Two different flaws found in MSMQ, CVE-2023-21769 and CVE-2023-28302 (CVSS scores: 7.5), may very well be exploited to trigger a denial-of-service (DoS) situation equivalent to a service crash and Home windows Blue Display screen of Loss of life (BSoD).


Be taught to Safe the Id Perimeter – Confirmed Methods

Enhance your online business safety with our upcoming expert-led cybersecurity webinar: Discover Id Perimeter methods!

Don’t Miss Out – Save Your Seat!

Microsoft has additionally up to date its advisory for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, to incorporate the next Server Core set up variations –

  • Home windows Server 2008 for 32-bit Techniques Service Pack 2
  • Home windows Server 2008 for x65-based Techniques Service Pack 2
  • Home windows Server 2008 R2 for x64-based Techniques Service 1
  • Home windows Server 2012
  • Home windows Server 2012 R2
  • Home windows Server 2016
  • Home windows Server 2019, and
  • Home windows Server 2022

The event comes as North Korea-linked risk actors have been noticed leveraging the flaw to include encrypted shellcode into authentic libraries with out invalidating the Microsoft-issued signature.

Microsoft Points Steering for BlackLotus Bootkit Assaults

In tandem with the replace, the tech big additionally issued steering for CVE-2022-21894 (aka Baton Drop), a now-fixed Safe Boot bypass flaw that has been exploited by risk actors utilizing a nascent Unified Extensible Firmware Interface (UEFI) bootkit referred to as BlackLotus to determine persistence on a number.

Some indicators of compromise (IoCs) embrace lately created and locked bootloader recordsdata within the EFI system partition (ESP), presence of the staging listing “ESP:/system32/,” modifications to the registry key “HKLM:SYSTEMCurrentControlSetControlDeviceGuardScenariosHypervisorEnforcedCodeIntegrity,” and occasion logs related to the stoppage of Microsoft Defender Antivirus.

“UEFI bootkits are significantly harmful as they run at pc startup, previous to the working system loading, and due to this fact can intervene with or deactivate varied working system (OS) safety mechanisms,” the Microsoft Incident Response staff said.

Microsoft additional recommends that compromised gadgets be faraway from the community to be examined for proof of follow-on exercise, reformat or restore the machines from a identified clear backup that features the EFI partition, keep credential hygiene, and implement the precept of least privilege (PoLP).

Software program Patches from Different Distributors

Along with Microsoft, safety updates have additionally been launched by different distributors in the previous couple of weeks to rectify a number of vulnerabilities, together with —


Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.