We’re already a third of the way through 2023, and April’s Patch Tuesday has arrived! The figures are similar to last month with 97 total vulnerabilities being patched. Included in this total are seven critical vulnerabilities two publicly disclosed, and two reported to be exploited in the wild.
April’s Instalment includes patches for the following:
• .NET Core
• Microsoft Bluetooth Driver
• Microsoft Defender for Endpoint
• Microsoft Dynamics
• Microsoft Office
• Microsoft PostScript Printer Driver
• Microsoft Printer Drivers
• Microsoft Windows DNS
• Visual Studio
• Windows Active Directory
• Windows Boot Manager
• Windows Common Log File System Driver
• Windows DHCP Server
• Windows Group Policy
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kerberos
• Windows Kernel
• Windows Network Address Translation (NAT)
• Windows Network File System
• Windows Network Load Balancing
• Windows NTLM
• Windows PGM
• Windows Point-to-Point Protocol over Ethernet (PPPoE)
• Windows Point-to-Point Tunneling Protocol
• Windows Raw Image Extension
• Windows RDP Client
• Windows Registry
• Windows RPC API
• Windows Secure Boot
• Windows Secure Channel
• Windows Transport Security Layer (TLS)
• Windows Win32K
This critical flaw resides in the Windows Message Queuing component, and if exploited could allow a remote attacker to execute arbitrary code on the server side. Exploitation requires an attacker to send a specially crafted malicious MSMQ packet to a MSMQ server. This flaw is only present on systems that have enabled the Windows message queuing service; If message queuing is enabled, and TCP port 1801 is listening on the machine, you are likely at risk. As always, we recommend applying the latest Windows updates as soon as possible.
This critical vulnerability requires an authenticated attacker to leverage a specially crafted RPC call to the DHCP service. Successful exploitation of this flaw could allow a remote attacker to execute code on the target system.
Please note that exploitation of this vulnerability requires access to the restricted network before running an attack.
Layer 2 Tunnelling Protocol is currently affected by two critical remote code execution vulnerabilities that can be exploited by an unauthenticated attacker sending a specially crafted connection request to a RAS server. Attack complexity for this vulnerability is high, and successful exploitation requires the attacker to win a race condition.
This critical vulnerability in Windows PPTP could allow a remote attacker to execute arbitrary code on the target system. This attack can be triggered when a user connects a Windows client to a malicious server; successful exploitation requires an attacker to take additional actions prior to exploitation to prepare the target environment.
This publicly disclosed vulnerability exists in curl, an open-source command line tool that allows the transfer of data using various protocols. If exploited, this vulnerability could allow a remote attacker to execute arbitrary code on the target system. Version 7.87.0 of curl addresses this CVE; we advise all users to update as soon as possible. Alternatively, users can block the execution of curl.exe as a temporary workaround.
Another remote code execution flaw, this time residing in the Raw Image Extension addon for the Microsoft Photos application. The Microsoft Store should automatically update this application to the latest secure version; we advise that all users check if auto updates for the Microsoft Store are enabled, to ensure they are protected against this critical vulnerability.
This important vulnerability exists in the Windows CLFS driver and, if exploited, could allow an attacker to gain system level privileges. This has been actively used by attackers as part of the recent Nokoyawa ransomware attacks.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.