Microsoft released major security updates for a total of 75 Windows vulnerabilities, nine of which are rated “Critical,” 66 are rated “Important,” and three zero-days that have been exploited in the wild. The full list can be found in the latest Microsoft Security Update Guide. Here’s what you need to know.
The three actively exploited zero-day vulnerabilities fixed in the updates are:
The first vulnerability, CVE-2023-21715 (rated important), must be carried out by a local user who is already authenticated. If the attacker can lure a victim through social engineering to download and execute the malicious file locally, this would allow macros in malicious Publisher documents to run without warning the user.
The second zero-day, CVE-2023-23376 (rated important), is only described by Microsoft as “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
The third zero-day patched, CVE-2023-21823 (rated important), is described as a remote code execution vulnerability that allows attackers to execute commands with SYSTEM privileges.
Additionally, all nine critical vulnerabilities patched by Microsoft are RCE vulnerabilities affecting things like Microsoft Word, drivers, Visual Studio, iSCSI Discovery Service and Microsoft Protected Extensible Authentication Protocol (PEAP).
Nuspire applies patches when released in accordance with vendor recommendations.
Due to the wide use of Microsoft Windows, threat actors are quick to pounce on vulnerabilities affecting the operating system. Organizations should ensure they are prioritizing Windows updates by criticality and applying them as soon as possible within their environment.