Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.

**Microsoft** today released software updates to plug 100 security holes in its **Windows** operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, **Apple** has released a set of important updates addressing _two_ zero-day vulnerabilities that are being used to attack **iPhones**, **iPads** and **Macs**.

On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.

Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6. If you use Apple devices and you don’t have automatic updates enabled (they are on by default), you should probably take care of that soon as detailed instructions on how to attack CVE-2023-28206 are now public.

Microsoft’s bevy of 100 security updates released today include CVE-2023-28252, which is a weakness in Windows that Redmond says is under active attack. The vulnerability is in the **Windows Common Log System File System** (CLFS) driver, a core Windows component that was the source of attacks targeting a different zero-day vulnerability in February 2023.

“If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago,” said **Dustin Childs** at the **Trend Micro Zero Day Initiative**. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware.”

According to the security firm **Qualys**, this vulnerability has been leveraged by cyber criminals to deploy **Nokoyawa** ransomware.

“This is a relatively new strain for which there is some open source intel to suggest that it is possibly related to Hive ransomware – one of the most notable ransomware families of 2021 and linked to breaches of over 300+ organizations in a matter of just a few months,” said **Bharat Jogi**, director of vulnerability and threat research at Qualys.

Jogi said while it is still unclear which exact threat actor is targeting CVE-2023-28252, targets have been observed in South and North America, regions across Asia and at organizations in the Middle East.

**Satnam Narang** at **Tenable** notes that CVE-2023-28252 is also the second CLFS zero-day disclosed to Microsoft by researchers from **Mandiant** and **DBAPPSecurity** (CVE-2022-37969), though it is unclear if both of these discoveries are related to the same attacker.

Seven of the 100 vulnerabilities Microsoft fixed today are rated “Critical,” meaning they can be used to install malicious code with no help from the user. Ninety of the flaws earned Redmond’s slightly less-dire “Important” label, which refers to weaknesses that can be used to undermine the security of the system but which may require some amount of user interaction.

Narang said Microsoft has rated nearly 90% of this month’s vulnerabilities as “Exploitation Less Likely,” while just 9.3% of flaws were rated as “Exploitation More Likely.” **Kevin Breen** at **Immersive Labs** zeroed in on several notable flaws in that 9.3%, including CVE-2023-28231, a remote code execution vulnerability in a core Windows network process (DHCP) with a CVSS score of 8.8.

“‘Exploitation more likely’ means it’s not being actively exploited but adversaries may look to try and weaponize this one,” Breen said. “Micorosft does note that successful exploitation requires an attacker to have already gained initial access to the network. This could be via social engineering, spear phishing attacks, or exploitation of other services.”

Breen also called attention to CVE-2023-28220 and CVE-2023-28219 — a pair of remote code execution vulnerabilities affecting **Windows Remote Access Servers** (RAS) that also earned Microsoft’s “exploitation more likely” label.

“An attacker can exploit this vulnerability by sending a specially crafted connection request to a RAS server, which could lead to remote code execution,” Breen said. While not standard in all organizations, RAS servers typically have direct access from the Internet where most users and services are connected. This makes it extremely enticing for attackers as they don’t need to socially engineer their way into an organization. They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”

For more details on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

Microsoft (& Apple) Patch Tuesday, April 2023 Edition

The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.

Microsoft's Patch Tuesday security update for April 2023 contains patches for 97 CVEs, including one zero-day bug under active exploit in ransomware attacks, another that's a reissue of a fix for a flaw from 2013 that a threat actor recently exploited in a supply chain attack on 3CX, and a wormable bug rated critical in severity.

Microsoft identified a total of seven of the bugs it fixed this month as being of critical severity, which typically means organizations need to make them a top priority from a patch implementation standpoint.

**Zero-Day Used in Ransomware Attacks**

Nearly half, or 45, of the vulnerabilities in the April update enable remote code execution (RCE), a significant uptick from the average of 33 RCE bugs that Microsoft has reported in each of the previous three months. Even so, the company rated nearly 90% of the CVEs in the latest batch as bugs that cyberattackers are less likely to exploit — just 9% are characterized as flaws that threat actors are more likely to exploit.

The zero-day bug, tracked as CVE-2023-28252, is an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS) that affects all supported versions of Windows 10 and Windows Server. It is the second CLFS zero day in recent months — the other was CVE-2022-37969 — and it gives adversaries who already have access to the platform a way to gain highly privileged system-level privileges. 

"This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system," said Gina Geisel, a security researcher at Automox. To exploit the flaw, an attacker would need to log in to a system and then execute a malicious binary to elevate privileges. 

"Automox recommends patch deployment within 24 hours since this is an actively exploited zero-day," Geisel said in emailed comments to Dark Reading.

In a blog post issued in tandem with Microsoft's update, Kaspersky said its researchers had observed a threat actor exploiting CVE-2023-28252 to deliver Nokoyawa ransomware on systems belonging to small and midsized organizations in North America, the Middle East, and Asia. The security vendor's analysis shows that the exploits are similar to already-known driver exploits targeting CLFS. 

"The exploit was highly obfuscated with more than 80% of its code being 'junk' elegantly compiled into the binary," according to the analysis. Kaspersky researchers said they reported the bug to Microsoft after observing an adversary using it in ransomware attacks in February.

**A Patch From the Past**

Another patch in Microsoft's April update that researchers are recommending organizations pay attention to is CVE-2013-3900, a 10-year-old signature validation vulnerability in the Windows WinVerifyTrust function. A threat actor — believed to be North Korea's Lazarus Group — recently exploited the flaw in a supply-chain attack on 3CX that resulted in malware landing on systems belonging to users of the company's video-conferencing software. 

When Microsoft released the patch in 2013, the company had decided to make it an opt-in patch because of the potential for the fix to cause problems for some organizations. With the April security update, Microsoft has made the fix available for more platforms and provide more recommendations for organizations on how to address the issue. 

"Definitely take the time to review all of the recommendations, including the information on the Microsoft Trusted Root Program, and take the actions needed to protect your environment," Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI) said in a blog post.

**A Slew of RCE Vulnerabilities**

Researchers identified two of the critical vulnerabilities in April's batch as needing immediate action. One of them is CVE-2023-21554. 

The bug affects Microsoft Message Queuing (MSMQ) technology and gives attackers a way to gain RCE by sending a specially crafted MSMQ packet to a MSMQ server. The vulnerability affects Windows 10, 11, and Server 2008-2022 systems that have the message queuing feature enabled on their systems, Automox researcher Peter Pflaster said in emailed comments. Administrators should consider applying Microsoft patch for the issue ASAP, since the company has noted that threat actors are more likely to exploit the vulnerability.

That's just one of two critical vulnerabilities affecting the Windows Message Queuing system that Microsoft fixed this week. The other is CVE-2023-28250, a vulnerability in Windows Pragmatic Multicast that, like CVE-2023-21554, has a base score of 9.8 and is potentially wormable. 

"This patch Tuesday MSFT fixed some critical flaws, of which we would recommend organizations to prioritize patching vulnerabilities those that are actively being exploited and wormable," said Bharat Jogi, director of vulnerability and threat Research, at Qualys.

The other critical vulnerability that needs immediate fixing is CVE-2023-28231, a RCE bug in the DHCP Server service. Microsoft has assessed the bug as another issue that attackers are more likely to try and weaponize. To exploit the bug, an attacker would need prior access on a network. But once on it, the adversary could initiate remote code execution on the DHCP server, according to Kevin Breen, director of cyber threat research at Immersive Labs. 

"Microsoft recommends that DHCP services are not installed on Domain Controllers, however, smaller organizations will commonly see DC and DHCP services co-located. In this instance the impact could be a lot higher," Breen warned in emailed comments. Attackers that have control over DHCP servers could wreak considerable havoc on the network including stealing credentials for software-as-a-service (SaaS) products, or to carry out machine-in-the-middle (MITM) attacks, he noted.

Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs

# Microsoft Security Advisory CVE-2023-28260: .NET Remote Code Execution Vulnerability

## <a name="executive-summary"></a>Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET running on Windows where a runtime DLL can be loaded from an unexpected location, resulting in remote code execution.

## Announcement

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/250

### <a name="mitigation-factors"></a>Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

## <a name="affected-software"></a>Affected software

* Any .NET 7.0 application running on .NET 7.0.4 or earlier.
* Any .NET 6.0 application running on .NET 6.0.15 or earlier.

## Advisory FAQ

### <a name="how-affected"></a>How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in [affected software](#affected-software), you're exposed to the vulnerability.

### <a name="how-fix"></a>How do I fix the issue?

* To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET  SDKs.
* If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;
* If you are using one of the affected packages, please update to the patched version listed above. 

```
.NET Core SDK (reflecting any global.json):

 Version:   6.0.300
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.300\

Host (useful for support):

  Version: 6.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  6.0.300 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
```
* If you're using .NET 7.0, you should download and install Runtime 7.0.5 or SDK 7.0.203 (for Visual Studio 2022 v17.5) from https://dotnet.microsoft.com/download/dotnet-core/7.0.
* If you're using .NET 6.0, you should download and install Runtime 6.0.16 or SDK 6.0.311 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) including [Native AOT](https://learn.microsoft.com/dotnet/core/deploying/native-aot/) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

## Other Information

### Reporting Security Issues

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at <https://aka.ms/corebounty>.

### Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

### Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

### Acknowledgements
[ycdxsb](https://github.com/ycdxsb) with [VARAS@IIE](http://www.iie.ac.cn/)

### External Links

[CVE-2023-28260]( https://www.cve.org/CVERecord?id=CVE-2023-28260)

### Revisions

V1.0 (April 11, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-04-11_

**Microsoft Security Advisory CVE-2023-28260: .NET Remote Code Execution Vulnerability****Executive summary**

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET running on Windows where a runtime DLL can be loaded from an unexpected location, resulting in remote code execution.

**Announcement**

Announcement for this issue can be found at dotnet/announcements#250

**Mitigation factors**

Microsoft has not identified any mitigating factors for this vulnerability.

**Affected software**

*   Any .NET 7.0 application running on .NET 7.0.4 or earlier.
*   Any .NET 6.0 application running on .NET 6.0.15 or earlier.

**Advisory FAQ****How do I know if I am affected?**

If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability.

**How do I fix the issue?**

*   To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
*   If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
*   If you are using one of the affected packages, please update to the patched version listed above.

    .NET Core SDK (reflecting any global.json):
    
     Version:   6.0.300
     Commit:    8473146e7d
    
    Runtime Environment:
    
     OS Name:     Windows
     OS Version:  10.0.18363
     OS Platform: Windows
     RID:         win10-x64
     Base Path:   C:\Program Files\dotnet\sdk\6.0.300\
    
    Host (useful for support):
    
      Version: 6.0.5
      Commit:  8473146e7d
    
    .NET Core SDKs installed:
    
      6.0.300 [C:\Program Files\dotnet\sdk]
    
    .NET Core runtimes installed:
    
      Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
      Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
      Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
    
    To install additional .NET Core runtimes or SDKs:
      https://aka.ms/dotnet-download
    

*   If you're using .NET 7.0, you should download and install Runtime 7.0.5 or SDK 7.0.203 (for Visual Studio 2022 v17.5) from https://dotnet.microsoft.com/download/dotnet-core/7.0.
*   If you're using .NET 6.0, you should download and install Runtime 6.0.16 or SDK 6.0.311 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications including Native AOT targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

**Other Information****Reporting Security Issues**

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

**Support**

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

**Disclaimer**

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

**Acknowledgements**

ycdxsb with VARAS@IIE

**External Links**

CVE-2023-28260

**Revisions**

V1.0 (April 11, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-04-11_

**References**

*   GHSA-w4m3-43gp-x8hx
*   https://nvd.nist.gov/vuln/detail/CVE-2023-28260
*   https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28260
*   https://www.cve.org/CVERecord?id=CVE-2023-28260

GHSA-w4m3-43gp-x8hx: .NET Remote Code Execution Vulnerability

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2023-28252

Windows Kernel Denial of Service Vulnerability

CVE-2023-28298

Windows Remote Procedure Call Service (RPCSS) Elevation of Privilege Vulnerability

CVE-2023-28297

Windows Network File System Information Disclosure Vulnerability

CVE-2023-28247

Windows Registry Elevation of Privilege Vulnerability

CVE-2023-28246

Windows NTLM Elevation of Privilege Vulnerability

CVE-2023-28225

Windows Enroll Engine Security Feature Bypass Vulnerability

Tag

#windows