Microsoft released patches for a few vulnerabilities in Windows Media Player and Windows. The vulnerabilities CVE-2023-21802, CVE-2023-21805, and CVE-2023-21822 were offered patches on February 24. The flaws would have allowed cybercriminals to gain privileges, run codes, and launch malware among other threats.
The Zero Day Initiative (ZDI) has flagged these 0-day vulnerabilities earlier to Microsoft. The Cyber Express is yet to detect any reported instances of exploitation of the bugs in the wild.
At the time, there was a perception by some in the information security industry that those who find vulnerabilities are malicious hackers looking to do harm. Some still feel that way. While skilled, malicious attackers do exist, they remain a small minority of the total number of people who actually discover new flaws in software,” said the ZDI website.
CVE-2023-21802 and Windows Media Player
CVE-2023-21802 has a CVSS score of 7.8 and can impact Microsoft’s Windows Media Player if the latest updates are not installed. A researcher from Trend Micro Hossein Lotfi alerted Microsoft about the flaw on 18 October 2022.
A cyber attacker can remotely execute arbitrary code on unpatched installations of Microsoft Windows Media Player. However, for exploitation of the vulnerability, the target user would need to click on a malicious file, page, or link to give initial access to a hacker.
The Windows Media remote code execution vulnerability was further detected to exist within the ‘handling of color conversion’ which without proper validation of user-supplied information would allow hackers to cause an integer overflow.
CVE-2023-21805 vulnerability and files in Windows
CVE-2023-21805 with a CVSS score of 7.8 affects Windows and can allow hackers to run arbitrary code that can also give access to not just the hacked systems but to the entire network thereby increasing their reach and damage.
The vulnerability was found in certain image file types containing script tags. Images can be maliciously edited with data to execute scripts and leverage it to load codes in the context of the current process. This Windows MSHTML Platform remote code Execution vulnerability was reported to the vendor on 3 November 2022.
CVE-2023-21822 and arbitrary codes
CVE-2023-21822 with a CVSS score of 8.8 affected Microsoft Windows and can allow hackers to escalate privileges if the patches are not installed. The vulnerability was found in the win32kfull driver and it is caused due to a lack of validation of an object before performing certain functions on the object.
The exploitation of this flaw can result in running arbitrary codes in the context of the system. Researchers noted that to exploit this flaw, cybercriminals would need to execute low-privileged code. This Windows graphics component elevation of privilege vulnerability was reported on 3 November 2022.
As long as users do not upgrade to the latest version, software remains vulnerable to exploitation and exposes connected devices and networks to risk. Hence, users are urged to install the patches on respective devices.
Microsoft and patch management
Microsoft’s February 2023 Patch Tuesday updates covered a total of 80 security fixes, 77 of which are related to vulnerabilities. Among these vulnerabilities are three zero-day exploits, which attackers actively exploit.
Among the 77 flaws, three zero-day vulnerabilities have been fixed in the latest update. Microsoft defined a zero-day vulnerability as a publicly disclosed or actively exploited vulnerability with no official fix. The three zero-day vulnerabilities fixed in the latest update were actively exploited in the wild by hackers.
However, patch management by organizations leaves a lot to be desired.
In December, Microsoft released a warning about CVE-2022-37958, stating that the vulnerability previously fixed in September was still capable of spreading malicious code.
However, according to a survey conducted by The Cyber Express among its registered readers, many individuals were unaware of this bug. A survey of 32 CISO leaders across various industries and locations showed that only 17% had initiated a patch, and a staggering 43% had not yet updated their systems.
Around the same time, Rackspace Hosted Exchange service was hit by a ransomware attack, and a zero-day exploit related to a Microsoft Exchange vulnerability (designated as CVE-2022-41080) was determined to be the root cause.
This vulnerability allowed hackers to gain access to numerous accounts, causing tens of thousands of users to lose access to their emails.
The Microsoft Exchange vulnerability has been found to result in an elevation of privileges, which can be combined with the CVE-2022-41082 ProxyNotShell bug to execute remote code. Cybercriminals have taken advantage of this serious vulnerability to gain remote privilege escalation on Microsoft Exchange Server.
Despite warnings from CISA, repeated notices from Microsoft, and calls to action for patch management, The Cyber Express found that numerous organizations have yet to initiate a patch.