Site icon Sophos News

April showers Windows updates on sysadmins

Microsoft on Tuesday released patches for 97 vulnerabilities in ten product families, including 7 Critical-severity issues in Windows. As is the custom, the largest number of addressed vulnerabilities affect Windows, with 77 CVEs. Visual Studio follows with 5 CVEs; followed by Dynamics and SQL (3 each); Azure, Office, and Publisher (2 each); and Defender, .NET (counted separately from the Visual Studio patches), and SharePoint (one each).  

At patch time, none of the issues this month has been publicly disclosed, and only one appears to be under exploit in the wild: CVE-2023-28252, an Important-severity elevation-of-privilege issue in Windows’ Common Log File system driver. However, Microsoft cautions that ten of the Windows CVEs addressed are more likely to be exploited in the affected product soon (that is, within the next 30 days). Interestingly, eight of the ten flagged issues apply only to the latest version of Windows, not to earlier versions. 

Two of those Windows issues also have a 9.8 CVSS base score (and an 8.5 temporal score), signaling to network administrators that they are worth prioritizing. CVE-2023-28231 (DHCP Server Service Remote Code Execution Vulnerability) and CVE-2023-21554 (Microsoft Message Queuing Remote Code Execution Vulnerability) are both Critical-severity RCEs submitted to Microsoft by external security researchers, and both are flagged by Microsoft as more likely to be exploited within the next 30 days. Another Critical-severity messaging issue, CVE-2023-28250 (Windows Pragmatic General Multicast [PGM] Remote Code Execution Vulnerability), also received a 9.8 CVSS score this month, though Microsoft considers exploitation of this issue less likely in the next 30 days. 

It’s not a light patch load, but observers may find cheer in an interesting statistic: Our year-over-year numbers indicate that Microsoft is confronting far fewer elevation-of-privilege issues so far this year. As of today, Microsoft has patched 87 EoP issues; at this point last year, they’d patched 125. (Overall year-to-year patch tallies are about even – 359 patches in the first four months of 2022, 340 this year – with notable year-to-year increases in patches addressing spoofing or information-disclosure issues.) 

By the numbers

Exit mobile version