[German]On April 11, 2023, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates fix 97 CVE vulnerabilities, seven of which are critical and one is a 0-day vulnerability. Below is a compact overview of these updates released on Patchday.A list of updates can be found on this Microsoft page. Details on the update packages for Windows, Office, etc. are available in separate blog posts.
Notes on the updates
Windows 10 version 20H2 to 22H2 use a common core and have an identical set of system files. Therefore, the same security update will be delivered for these Windows 10 versions. Information on enabling the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update includes all security fixes for these Windows versions – as well as any non-security fixes up to patchday. In addition to vulnerability security patches, the updates also include fixes to address bugs or new features (e.g., Moments 2 update for Windows 11 22H2). Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer versions of Windows 10. A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date).
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported since January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from Microsoft Update Catalog. Windows 8.1 is out of support in January 2023. Windows Server 2012 /R2 will receive security updates until October 2023.
Fixed vulnerabilities
Tenable has this blog post with an overview of the fixed vulnerabilities. Tenable states that a 0-day vulnerability is exploited in the wild.
- CVE-2023-28252: Windows Common Log File System Driver Elevation of Privilege Vulnerability, CVEv3 Score 7.8, important; It is an Execution of Privileges (EoP) vulnerability in the Windows Common Log File System (CLFS) driver (the second one for 2023). This is the logging service used by applications in kernel and user mode. This vulnerability is a post-compromise flaw, meaning an attacker could exploit it after gaining access to a vulnerable target. Successful exploitation would elevate the attacker's privileges on SYSTEM. According to Microsoft, the vulnerability has been exploited in the wild as a zero-day vulnerability. Its discovery is attributed to Genwei Jiang of Mandiant and Quan Jin of DBAPPSecurity WeBin Lab. Kaspersky says, according to Bleeping Computer, that they also discovered the CVE-2023-28252 vulnerability as well and reported it to Microsoft after seeing it exploited in Nokoyawa ransomware attacks.
- CVE-2023-21554: Microsoft Message Queuing Remote Code Execution Vulnerability; CVEv3 Score 9.8, critical; It is an RCE vulnerability that affects Microsoft Message Queuing (MSMQ). An attacker could exploit this vulnerability by sending a specially crafted MSMQ packet to an affected MSMQ server. The Microsoft report notes that to exploit this vulnerability, the Windows Message Queuing Service must be enabled. When enabled, TCP port 1801 is monitored on the host.
In addition to this RCE vulnerability, two denial-of-service VEs (CVE-2023-21769 and CVE-2023-28302) rated as "important" were also patched in MSMQ this month. - CVE-2023-28250: CVE-2023-28250 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability; CVEv3 Score 8.8, critical; It is an RCE vulnerability affecting Windows Pragmatic General Multicast (PGM). The MSMQ service must be enabled for successful exploitation. An attacker could exploit this vulnerability by sending a crafted file over the network to execute arbitrary code. This vulnerability affects supported versions of Windows, including Server Core installations.
- CVE-2023-28231: DHCP Server Service Remote Code Execution Vulnerability; CVEv3 Score 9.8, critical; It is an RCE vulnerability that affects the Dynamic Host Configuration Protocol (DHCP) server service. Microsoft categorizes this vulnerability as Exploitation More Likely according to the Microsoft Exploitability Index. Successful exploitation requires that an attacker be on a neighboring network before using a crafted RPC call to exploit the vulnerability.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
- .NET Core
- Azure Machine Learning
- Azure Service Connector
- Microsoft Bluetooth Driver
- Microsoft Defender for Endpoint
- Microsoft Dynamics
- Microsoft Dynamics 365 Customer Voice
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Message Queuing
- Microsoft Office
- Microsoft Office Publisher
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft PostScript Printer Driver
- Microsoft Printer Drivers
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows DNS
- Visual Studio
- Visual Studio Code
- Windows Active Directory
- Windows ALPC
- Windows Ancillary Function Driver for WinSock
- Windows Boot Manager
- Windows Clip Service
- Windows CNG Key Isolation Service
- Windows Common Log File System Driver
- Windows DHCP Server
- Windows Enroll Engine
- Windows Error Reporting
- Windows Group Policy
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kerberos
- Windows Kernel
- Windows Layer 2 Tunneling Protocol
- Windows Lock Screen
- Windows Netlogon
- Windows Network Address Translation (NAT)
- Windows Network File System
- Windows Network Load Balancing
- Windows NTLM
- Windows PGM
- Windows Point-to-Point Protocol over Ethernet (PPPoE)
- Windows Point-to-Point Tunneling Protocol
- Windows Raw Image Extension
- Windows RDP Client
- Windows Registry
- Windows RPC API
- Windows Secure Boot
- Windows Secure Channel
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows Transport Security Layer (TLS)
- Windows Win32K
In April 2023, support for Exchange Server 2013 will end and the product will no longer receive security updates. To help organizations identify unsupported versions of Microsoft Exchange Server, the following plugins are available:
- Plugin ID 22313: Microsoft Exchange Server Unsupported Version Detection
- Plugin ID 10880: Microsoft Exchange Server Unsupported Version Detection (Uncredentialed)
Similar articles:
Microsoft Security Update Summary (April 11, 2023)
Patchday: Windows 10 Updates (April 11, 2023)
Patchday: Windows 11/Server 2022 Updates (April 11, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (April 11, 2023)
Patchday: Microsoft Office Updates (April 11, 2023)
Microsoft April 2023 Patchday issues
Windows 10 22H2 Preview Update KB5025297 (April 25, 2023)
Windows 11 22H2: Preview-Update KB5025305 (April 25, 2023)
Windows 11 21H2 Preview Update KB5025298 (April 25, 2023)