A Windows zero-day bug under active exploitation was patched as part of Microsoft’s April Patch Tuesday round of bug fixes. On Tuesday, the Cybersecurity and Infrastructure Security Agency added the Microsoft zero-day flaw, tracked as CVE-2023-28252, to its exploited vulnerabilities catalog.
The zero-day is tied to Windows’ Common Log File System Driver (CLFS) system and creates conditions ripe for an adversary to carry out an elevation of privileges attack on targeted systems. The bug has a CVSSv3 score of 7.8 and a rating of important. It is unclear to what extent the flaw is being exploited in the wild.
The bug was patched as part of a larger package of fixes that addressed a total of 97 vulnerabilities for Microsoft products. Seven were identified as critical remote code execution (RCE) flaws.
CISA’s addition of the Microsoft bug follows the addition of two Apple zero-days also added to its Known Exploited Vulnerabilities (KEV) catalog on Monday.
Microsoft Patch Tuesday Analysis
Tuesday’s bug fixes by Microsoft included security updates for Windows components including Office, Defender, SharePoint Server, Hyper-V, PostScript Printer and Microsoft Dynamics.
“The number of remote code execution bugs makes up nearly half the release(s). It’s unusual to see that many RCE fixes in a single month,” wrote Dustin Childs of Trend Micro’s Zero Day Initiative in his Patch Tuesday commentary.
Childs said that the zero-day patched by Microsoft may have been tied to a previous and similar zero-day bug (CVE-2023-23376) patched in February. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix,” he wrote.
Tenable’s analysis of Microsoft’s April Patch Tuesday fixes also highlighted remote code execution vulnerabilities, noting they accounted for 46.4% of the vulnerabilities patched this month, while elevation of privilege vulnerabilities represented 20.6% of the fixes.
Most concerning is a critical RCE vulnerability, tracked as CVE-2023-21554, impacting Microsoft’s Message Queuing (MSMQ) process.
“An attacker could exploit this flaw by sending a specially crafted MSMQ packet to an affected MSMQ server. Microsoft’s advisory notes that exploitation of this flaw requires the Windows message queuing service to be enabled. When enabled, TCP port 1801 will be listening on the host,” Tenable wrote.
Researchers also suggested prioritizing critical RCE vulnerability CVE-2023-28250 impacting the Windows Pragmatic General Multicast (PGM) component and CVE-2023-28231, a RCE vulnerability affecting the Dynamic Host Configuration Protocol (DHCP) server service.
5-Year-Old Bug Gets a Fix
Also, of note in Microsoft’s April round of patches is a 5-year-old bug fix for the Windows’ anti-virus solution Defender. While not security related, the bug impacted Windows users of the Mozilla web browser, spiking the PC’s microprocessor usage by 75% when Firefox was being used. The fix was part of a collaborative effort between Mozilla and Microsoft who released an update to the impacted Windows Defender component MsMpEng.exe. “I noticed that for some time now most of the time Firefox is active, the Windows 10 built in `Antimalware Service Executable` is using well above *30% of my CPU*, and is reading and writing random files in `Windows/Temp`, all starting with `etilqs_`,” wrote Markus Jaritz, design manager with Firefox Product UX, in 2018.