Details: Tech Support by: Emerald City IT; Support Field: Computer Repair and Tech Support; Support Category: Virus, Spyware, & Malware Removal

Microsoft today patched 80 different vulnerabilities. This includes the Chromium vulnerabilities affecting Microsoft Edge. Nine vulnerabilities are rated as "Critical" by Microsoft.

Three of the vulnerabilities, all rated "important", are already being exploited:

CVE-2023-21715: Microsoft Publisher Security Feature Bypass. This vulnerability will allow the execution of macros bypassing policies blocking them.

CVE-2023-23376: Windows Common Log File Ssytem Driver Elevation of Privilege Vulnerability

CVE-2023-21823: Windows Graphics Component Remote Code Execution Vulnerability. Patches for this vulnerability may only be available via the Microsoft Store. Make sure you have these updates enabled.

Some additional vulnerabilities of interest:

CVE-2023-21803: Windows iSCSI Discovery Service Remote Code Execution Vulnerability. Likely not the most common issue to be patched this month, but something that may easily be missed. This vulnerability, if exploited, could be used for lateral movement.

CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability. Word is always a great target as it offers a large attack surface. No known exploit for this vulnerability, but its CVSS score of 9.8 will attract some attention. The rating of "critical" implies that it is not necessary to open the document to trigger the vulnerability.

Visual Studio: Several vulnerabilities, two of them critical, affect Visual Studio. Attacks against developers are often not well documented but appear on the rise.

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
curl use after free vulnerability affecting CBL Mariner 2.0
CVE-2022-43552	No	No	-	-	-
.NET Framework Denial of Service Vulnerability
CVE-2023-21722	No	No	Less Likely	Less Likely	Important	4.4	3.9
.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2023-21808	No	No	Less Likely	Less Likely	Critical	7.8	6.8
3D Builder Remote Code Execution Vulnerability
CVE-2023-23377	No	No	-	-	Important	7.8	6.8
CVE-2023-23390	No	No	-	-	Important	7.8	6.8
Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability
CVE-2023-21777	No	No	-	-	Important	8.7	7.6
Azure Data Box Gateway Remote Code Execution Vulnerability
CVE-2023-21703	No	No	-	-	Important	6.5	5.7
Azure DevOps Server Cross-Site Scripting Vulnerability
CVE-2023-21564	No	No	-	-	Important	7.1	6.2
Azure DevOps Server Remote Code Execution Vulnerability
CVE-2023-21553	No	No	-	-	Important	7.5	6.5
Azure Machine Learning Compute Instance Information Disclosure Vulnerability
CVE-2023-23382	No	No	-	-	Important	6.5	5.7
HTTP.sys Information Disclosure Vulnerability
CVE-2023-21687	No	No	-	-	Important	5.5	4.8
MITRE: CVE-2019-15126 Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device
CVE-2019-15126	No	No	-	-	-
Microsoft Defender for Endpoint Security Feature Bypass Vulnerability
CVE-2023-21809	No	No	-	-	Important	7.8	6.8
Microsoft Defender for IoT Elevation of Privilege Vulnerability
CVE-2023-23379	No	No	-	-	Important	6.4	5.6
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-21807	No	No	Unlikely	Less Likely	Important	5.8	5.1
CVE-2023-21570	No	No	-	-	Important	5.4	4.7
CVE-2023-21571	No	No	-	-	Important	5.4	4.7
CVE-2023-21572	No	No	-	-	Important	6.5	5.7
CVE-2023-21573	No	No	-	-	Important	5.4	4.7
Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability
CVE-2023-21778	No	No	Less Likely	Less Likely	Important	8.3	7.2
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVE-2023-23374	No	No	Less Likely	Less Likely	Moderate	8.3	7.2
Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2023-21794	No	No	Less Likely	Less Likely	Low	4.3	3.9
Microsoft Edge (Chromium-based) Tampering Vulnerability
CVE-2023-21720	No	No	Less Likely	Less Likely	Low	5.3	4.8
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-21706	No	No	-	-	Important	8.8	7.7
CVE-2023-21707	No	No	-	-	Important	8.8	7.7
CVE-2023-21529	No	No	-	-	Important	8.8	7.7
CVE-2023-21710	No	No	-	-	Important	7.2	6.3
Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-21797	No	No	-	-	Important	8.8	7.7
CVE-2023-21798	No	No	-	-	Important	8.8	7.7
Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-21704	No	No	-	-	Important	7.8	6.8
Microsoft Office Information Disclosure Vulnerability
CVE-2023-21714	No	No	-	-	Important	5.5	4.8
Microsoft OneNote Spoofing Vulnerability
CVE-2023-21721	No	No	-	-	Important	6.5	5.7
Microsoft PostScript Printer Driver Information Disclosure Vulnerability
CVE-2023-21693	No	No	-	-	Important	5.7	5.1
Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
CVE-2023-21684	No	No	-	-	Important	8.8	7.7
CVE-2023-21801	No	No	-	-	Important	7.8	6.8
Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability
CVE-2023-21701	No	No	-	-	Important	7.5	6.5
Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability
CVE-2023-21691	No	No	-	-	Important	7.5	6.5
Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
CVE-2023-21689	No	No	-	-	Critical	9.8	8.5
CVE-2023-21690	No	No	-	-	Critical	9.8	8.5
CVE-2023-21692	No	No	-	-	Critical	9.8	8.5
CVE-2023-21695	No	No	-	-	Important	7.5	6.5
Microsoft Publisher Security Features Bypass Vulnerability
CVE-2023-21715	No	Yes	-	-	Important	7.3	6.4
Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
CVE-2023-21718	No	No	-	-	Critical	7.8	6.8
Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability
CVE-2023-21568	No	No	-	-	Important	7.3	6.4
Microsoft SQL Server Remote Code Execution Vulnerability
CVE-2023-21528	No	No	More Likely	Less Likely	Important	7.8	6.8
CVE-2023-21705	No	No	-	-	Important	8.8	7.7
CVE-2023-21713	No	No	-	-	Important	8.8	7.7
Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2023-21717	No	No	-	-	Important	8.8	7.7
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-21799	No	No	-	-	Important	8.8	7.7
CVE-2023-21685	No	No	-	-	Important	8.8	7.7
CVE-2023-21686	No	No	-	-	Important	8.8	7.7
Microsoft Word Remote Code Execution Vulnerability
CVE-2023-21716	No	No	-	-	Critical	9.8	8.5
NT OS Kernel Elevation of Privilege Vulnerability
CVE-2023-21688	No	No	-	-	Important	7.8	6.8
Power BI Report Server Spoofing Vulnerability
CVE-2023-21806	No	No	-	-	Important	8.2	7.1
Print 3D Remote Code Execution Vulnerability
CVE-2023-23378	No	No	-	-	Important	7.8	7.1
Visual Studio Denial of Service Vulnerability
CVE-2023-21567	No	No	More Likely	Less Likely	Important	5.6	5.1
Visual Studio Elevation of Privilege Vulnerability
CVE-2023-21566	No	No	Less Likely	Less Likely	Important	7.8	6.8
Visual Studio Remote Code Execution Vulnerability
CVE-2023-21815	No	No	-	-	Critical	8.4	7.3
CVE-2023-23381	No	No	-	-	Critical	8.4	7.3
Windows Active Directory Domain Services API Denial of Service Vulnerability
CVE-2023-21816	No	No	-	-	Important	7.5	6.5
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2023-21812	No	No	-	-	Important	7.8	6.8
CVE-2023-23376	No	Yes	-	-	Important	7.8	6.8
Windows Distributed File System (DFS) Remote Code Execution Vulnerability
CVE-2023-21820	No	No	-	-	Important	7.4	6.4
Windows Fax Service Remote Code Execution Vulnerability
CVE-2023-21694	No	No	-	-	Important	6.8	5.9
Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-21804	No	No	-	-	Important	7.8	6.8
CVE-2023-21822	No	No	-	-	Important	7.8	6.8
Windows Graphics Component Remote Code Execution Vulnerability
CVE-2023-21823	No	Yes	-	-	Important	7.8	7.5
Windows Installer Elevation of Privilege Vulnerability
CVE-2023-21800	No	No	-	-	Important	7.8	6.8
Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability
CVE-2023-21697	No	No	-	-	Important	6.2	5.4
CVE-2023-21699	No	No	-	-	Important	5.3	4.6
Windows Kerberos Elevation of Privilege Vulnerability
CVE-2023-21817	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-21805	No	No	-	-	Important	7.8	6.8
Windows Media Remote Code Execution Vulnerability
CVE-2023-21802	No	No	-	-	Important	7.8	6.8
Windows Secure Channel Denial of Service Vulnerability
CVE-2023-21813	No	No	Less Likely	Less Likely	Important	7.5	6.5
CVE-2023-21818	No	No	More Likely	More Likely	Important	7.5	6.5
CVE-2023-21819	No	No	-	-	Important	7.5	6.5
Windows iSCSI Discovery Service Denial of Service Vulnerability
CVE-2023-21700	No	No	-	-	Important	7.5	6.5
Windows iSCSI Discovery Service Remote Code Execution Vulnerability
CVE-2023-21803	No	No	-	-	Critical	9.8	8.5
Windows iSCSI Service Denial of Service Vulnerability
CVE-2023-21811	No	No	-	-	Important	7.5	6.5
CVE-2023-21702	No	No	-	-	Important	7.5	6.5

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|