Patch Tuesday February 2023: The Long Goodbye of Internet Explorer 11 and Zero-days Abusing OneNote  

2023 is the year many long familiar Microsoft products meet their final fates. January gave us the end of support for Windows 8.1 as well as Extended Security Updates for Windows 7. Microsoft’s February Patch Tuesday brings more heartbreak for lovers of legacy software as Internet Explorer 11 is now being disabled on Windows 10 builds. There is also a collection of zero-days under active exploitation and a reminder that not all security fixes are delivered via Windows Update.

Microsoft Vulnerabilities

With a total of 77 vulnerabilities, workloads for teams responsible for patching shouldn’t be too heavy. However, nine of this month’s vulnerabilities are marked as Critical, and the three zero-day vulnerabilities all under active exploitation, with one being leveraged in ransomware campaigns involving OneNote files.

The first zero-day vulnerability, CVE-2023-21823, is a remote code execution threat that gives an attacker SYSTEM privileges when exploited. To exploit this, attackers need to use specially crafted OneNote files. These compromised OneNote files can then be delivered as email attachments. This particular vulnerability has received additional guidance in the Microsoft Security Update, advising that updates are being delivered for OneNote via the Microsoft Store. If you’ve implemented policies that block auto-updates of Microsoft Store apps then its worth revisiting why that policy is in place.

The second and third zero-day vulnerabilities for February are CVE-2023-23376 and CVE-2023-21715. Both are under active exploitation, and CVE-2023-21715 allows attackers to bypass Microsoft Office macro settings using a malicious Microsoft Publisher document. 

While keeping to a timely patching routine should help mitigate these vulnerabilities, the fact that two zero-days are leveraging Microsoft Office documents for delivery of payloads illustrates that blocking email attachments, even for normally benign file types, should be evaluated as a serious option for hardening environments.

Internet Explorer 11, the long goodbye

Starting February 14, Internet Explorer will be disabled via a Microsoft Edge update and be rolled out over the coming weeks via the Microsoft Edge Stable channel. For most SMEs this isn’t a concern as these systems have long since been retired in favor of currently supported versions. If, however, you still have these legacy systems and applications in production this should prompt a strongly worded entry in your risk registers, or be the push needed to make the business case for why the risks these legacy systems represent is no longer acceptable.

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected 

Summary

As always make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Review, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd