80 New Security Flaws By Microsoft

June 27, 2023

Microsoft has patched 80 new security flaws, including two that are actively exploited in real-world attacks. This number matches the 76 bugs it fixed in February; however, this month the number of critical-rated vulnerabilities decreased from 8 to 6.

One such flaw, a zero-day in Windows Print Spooler, could grant attackers elevated privileges – the second such vulnerability this year. According to the NSA, this flaw has already been actively exploited in the wild.

1. Remote Code Execution (RCE) in Windows PowerShell

Microsoft Fixes 80 Security Flaws; Two are Under Active Attack

In the February 2023 Patch Tuesday release, two remotely code execution (RCE) vulnerabilities were patched. These flaws allow attackers to execute arbitrary code on a targeted system and may lead to data theft or other serious harm.

This month’s security update addresses two Remote Code Execution (RCE) vulnerabilities in PowerShell, a task automation tool. The flaw lies in how PowerShell encodes text before deserializing it for consumption.

Microsoft recently posted a blog post outlining the potential risks of an RCE vulnerability, noting that malicious users could leverage it to gain unauthorized access to a target system and extract sensitive data such as passwords and credentials.

Another remote code execution vulnerability in Windows allows a malicious user to write data outside of its allocated memory storage buffer, potentially leading to data corruption or system crash.

Other RCE vulnerabilities identified in this month’s security update include a privilege escalation bug in Adobe ColdFusion and a bypass vulnerability in Microsoft’s Windows SmartScreen software. The latter flaw allows an attacker to circumvent Mark of the Web (MOTW) defenses by sending a specially crafted file. To help detect signs of compromise, the company has released a detection script.

2. Cross-site Scripting (XSS) in Internet Explorer

Cross-site scripting (XSS) is an attack that allows malicious code to be embedded into web pages. This could allow them to steal session tokens and carry out various actions on behalf of the user without their knowledge or consent.

XSS (Xenuscriptable Stylesheet Submission) is one of the most serious threats to internet users, particularly those who store sensitive data or handle confidential information. Fortunately, mitigating this risk with some straightforward techniques is relatively straightforward.

First, ensure your web servers are using a Content Security Policy (CSP). This prevents scripts outside the web application from communicating with it and should render most XSS attacks harmless.

Another way to protect against XSS attacks is by implementing Same Origin Policy (SOP) on your web server, which ensures all content on a webpage must originate from one source. Although this security measure should be enforced, it’s not always implemented.

The second way to mitigate XSS attacks is by adding security features to your web applications that block malicious code from execution. These could include enforcing a Content Security Policy or using an authentication method.

Finally, browser extensions can protect users from certain XSS attacks. These are highly effective and available for most major browsers such as Chrome, Edge and Firefox.

Microsoft recently fixed 80 new security flaws on March Patch Tuesday, two of which were zero-day bugs that have been exploited in the wild. Four of these vulnerabilities had a CVSS v3.1 score above 9, making them critical in severity; 71 flaws had moderate severity while one was low severity. These fixes affect various software packages such as Microsoft Office and Internet Explorer.

3. VML Hole in Internet Explorer

Microsoft today released patches for 80 new security flaws. One of these fixes closes a VML hole in Internet Explorer which could be exploited by hackers to steal data from users.

Microsoft warns that a vulnerability in the way IE handles VML graphics could lead to a stack overflow and allow arbitrary code execution on the system. This flaw affects Internet Explorer versions 5.0 and 6.0, as well as Windows 7 and 8.

This flaw lies within the VML DLL ActiveX control used by the browser, which permits remote code execution of two-dimensional images similar to those produced by Adobe Photoshop or Corel Draw software.

Although this vulnerability has yet to be actively exploited, it raises serious concerns that criminals could use it to infiltrate vulnerable systems without user interaction. This would enable them to steal a user’s login credentials or install malware onto the machine without detection.

To combat this threat, it’s recommended that Active Scripting be disabled in Internet Explorer to block malicious code from being executed on the system. Furthermore, only reading email in plain text should be done whenever possible in order to prevent exploits from being delivered via HTML email.

Microsoft must immediately patch this critical vulnerability, as it poses a grave danger to users. It’s worth noting that an attacker who successfully exploits this flaw through email has much easier access than if they used Internet Explorer; therefore, disabling scripting in IE and not opening emails sent in plain text format are recommended.

4. Remote Code Execution (RCE) in Windows Network File System (NFS)

RCE attacks pose a significant danger to network security. They enable hackers to execute malicious code on systems with arbitrary access, potentially leading to system compromise or the disruption of services.

This type of attack occurs when applications that evaluate user input accept untrusted data. Therefore, it is crucial to sanitize all input before processing it.

A flaw in the Windows Network File System (NFS) causes a buffer overflow when it calculates response message sizes. This vulnerability only impacts NFS version 4.

Remote, authenticated attackers could leverage this vulnerability by sending a specially crafted NFS COMPOUND request and running arbitrary code. Unfortunately, it remains uncertain if the vulnerability is active or if any known malware uses this approach to infiltrate networks and steal credentials.

To protect against RCE attacks, practice safe computer practices and keep software and programs up to date. Furthermore, avoid opening email attachments or clicking links from unknown sources.

Furthermore, keep your software up to date and perform regular vulnerability scans to identify any flaws hackers may attempt to exploit.

To protect against RCE vulnerabilities, the best practice is to employ secure computer practices, patch your systems and monitor network activity. While these steps can significantly reduce the likelihood of an attack from RCE, these methods aren’t foolproof – cybercriminals still find ways to access systems and RCE is just one among many security risks a company could encounter.

5. Remote Code Execution (RCE) in Windows PowerShell

Microsoft’s most recent Patch Tuesday update addressed at least 80 security flaws in its Windows OS and Chromium-based Edge browser, according to security researchers. Two of those fixes are currently under active attack in the wild.

One of the flaws is a remote code execution (RCE) vulnerability that allows attackers to run malicious code on compromised systems. With this power, hackers are able to perform network reconnaissance and steal data. They could also leverage privilege escalation attacks in order to take over the system and access sensitive information.

Another security flaw is a memory wellbeing attack that leverages data serialization and deserialization to conceal malicious code. This makes it difficult to discover and confirm what the malicious code is intended for before it executes.

Microsoft PowerShell contains a remote code execution vulnerability, which could allow an attacker to gain remote access to a server with a remote execution policy enabled. This can be an effective way of guarding against command injection attacks on the system.

Though many threats are designed to avoid logging, the Microsoft event viewer and ScriptBlock logging features can be invaluable tools for monitoring attacker activity. Therefore, it is essential that logging be enabled and that your event viewer remains up-to-date.

In addition to logging, administrators can also create constrained run spaces on remote endpoints that limit users to specific commands. These policies grant administrators control over which commands are executed on the endpoint; however, these spaces remain vulnerable to command injection attacks.

Remote code execution vulnerabilities have become a popular tool among threat actors to evade detection, blend in with normal administration tasks and leave less artifacts on targeted computers. Furthermore, this enables them to gain a foothold within an enterprise network without physical access is required.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


5 Critical Components For Robust IT and OT Security

5 Critical Components For Robust IT and OT Security

Discover the 5 critical components for robust IT and OT security. Protect your systems and operations effectively. Industrial processes like manufacturing, water treatment, energy distribution, transportation and healthcare rely on a highly specialized collection of...

Lacework Launches Secured by Women Initiative

Lacework Launches Secured by Women Initiative

Empowering women in cybersecurity, Lacework launches Secured by Women initiative, fostering diversity, and enhancing digital security. In celebration of International Women’s Day and throughout March, the data-driven cloud security company launched an ongoing...

Fortinet Secure Web Gateway Takeover

Fortinet Secure Web Gateway Takeover

Fortinet Secure Web Gateway Takeover: Uncovering the implications of this cybersecurity event and its impact on online security. The latest Fortinet bug is a critical heap buffer overflow that can lead to RCE. It affects FortiGate firewalls, FortiProxy web proxies and...

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us