Microsoft February 2023 Patch Tuesday fixes 3 exploited zero-days, 77 flaws

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Today is Microsoft's February 2023 Patch Tuesday, and security updates fix three actively exploited zero-day vulnerabilities and a total of 77 flaws.

Nine vulnerabilities have been classified as 'Critical' as they allow remote code execution on vulnerable devices.

The number of bugs in each vulnerability category is listed below:
  • 12 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 38 Remote Code Execution Vulnerabilities
  • 8 Information Disclosure Vulnerabilities
  • 10 Denial of Service Vulnerabilities
  • 8 Spoofing Vulnerabilities
This count does not include three Microsoft Edge vulnerabilities fixed earlier this month.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5022845 and KB5022836 cumulative updates and Windows 10 KB5022834 and KB5022840 updates.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
The February 2023 Security Update Overview
Welcome to the second patch Tuesday of 2023. On this romantic holiday, Microsoft and Adobe have released their latest security patches as Valentine’s gifts for us all. Take a break from your regularly scheduled activities (or Pwn2Own Miami) and join us as we review the details of their latest security offerings.

Adobe Patches for February 2023

For February, Adobe released nine patches addressing 28 CVEs in Adobe Photoshop, Substance 3D Stager, Animate, InDesign, Bridge, FrameMaker, Connect, and After Effects. A total of 21 of these were reported by ZDI vulnerability researcher Mat Powell. Probably the most interesting fix is for PhotoShop. This patch fixes five bugs, three of which are rated Critical. An attacker could get arbitrary code execution if they can convince a user on an affected system to open a malicious file. This is the same scenario for Premier Rush, which corrects two Critical-rated code execution bugs. The Animate patch also fixes three similar code execution bugs. The fix for Adobe Bridge fixes five Critical-rated code execution bugs plus two memory leaks. After Effects also has a memory leak to go along with three code execution bugs. The patch for FrameMaker also contains a mix of code execution and memory leak fixes.

The patch for Adobe Connect fixes a security feature bypass bug, although Adobe doesn’t provide any further info on what’s being bypassed. The fix for InDesign corrects a denial of service caused by a NULL pointer deref. Finally, the fix for Adobe Substance 3D Stager doesn’t actually address any new CVEs. However, Adobe is updating third-party libraries used by the 3D modeling tool.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2023

This month, Microsoft released 75 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; .NET Core and Visual Studio Code; 3D Builder and Print 3D; Microsoft Azure and Dynamics 365; Defender for IoT and the Malware Protection Engine; and Microsoft Edge (Chromium-based). This is in addition to Edge CVEs previously released this month plus some third-party fixes that are now being shipped for Microsoft products. A total of eight of these CVEs were submitted through the ZDI program.

Of the patches released today, nine are rated Critical and 66 are rated Important in severity. This volume is relatively typical for a February release. However, it is unusual to see half of the release address remote code execution (RCE) bugs.

None of the new CVEs released this month are listed as publicly known, but there are three bugs listed as being exploited in the wild at the time of release.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top