Microsoft tops the list for cyber vulnerabilities in April
Intelligence company Recorded Future has released its April 2023 CVE Monthly report, which identifies a total of approximately 2,200 vulnerabilities, mostly across major software vendors such as Microsoft, Apple and Google, and impacting both consumer and enterprise users in Australia.
"This month again were seeing major technology and software companies serving thousands of organisations and millions of users around the world, including in Australia, impacted," says Nikolas Kalogirou, Country Manager, ANZ for Recorded Future.
"I urge organisations in Australia, especially in critical industries and/or with large contingents of remote workers using mobile devices, to pay very close attention to the top 15 high risk vulnerabilities we have identified across Microsoft, Apple and Google," he says.
"They need to work with their security teams to audit their systems and be very proactive about putting in place the required patching measures."
Key findings include:
- Major software vendors disclosed seven zero-day vulnerabilities in April 2023, including security features, access control components, sandboxing environments, and operating systems.
- Fifteen of the approximately 2,200 vulnerabilities disclosed were high-risk.
- Consistently with recent months, Microsoft was once again the most prominent vendor, accounting for three high-risk vulnerabilities, while Google Chrome is for the first time publicly reporting a vulnerability that has an exploit in the wild in 2023.
According to the report, one of the Microsoft vulnerabilities is currently being exploited in the wild for privilege escalation by the Nokoya ransomware group. It also says the involvement of Amnesty International in some of the Apple vulnerabilities would suggest that the flaws are being exploited by nation-state actors. One of the Google vulnerabilities received the most attention in terms of references from security researchers this month.
The three vulnerabilities that attracted some of the highest attention from security researchers were CVE-2023-28252, an out-of-bounds write vulnerability in Windows Common Log File System. The flaw has been exploited to ultimately deploy Nokoyawa ransomware payloads; CVE-2023-2033, a type confusion vulnerability in Google Chromes V8 Javascript engine; and CVE-2023-28206, an out-of-bounds write vulnerability in Apples IOSurfaceAccelerator and WebKit.
Microsoft
On April 11, 2023, Microsoft disclosed a remote code execution (RCE) vulnerability tracked as CVE-2023-28311. A threat actor could execute arbitrary code on a system through the vulnerability in Microsoft Office if a victim opens a specially crafted file. This vulnerability can then be exploited to run unauthorised code on the system.
Microsoft released a second advisory on April 11, 2023, regarding a zero-day vulnerability in the Windows Common Log File System (CLFS). The vulnerability, tracked as CVE-2023-28252, is an out-of-bounds write vulnerability that allows an authenticated threat actor to gain SYSTEM privileges. A threat actor could exploit the vulnerability by manipulating base log files and this vulnerability is currently being exploited in the wild for privilege escalation by the Nokoya ransomware group
Check Point Research identified a vulnerability tracked as CVE-2023-21554 in Microsoft Message Queuing Service (MSMQ), which may allow arbitrary code execution and denial-of-service (DoS) of Windows service processes.
Google issued two updates to address the Chrome vulnerability CVE-2023-2033 on April 14, 2023. The vulnerability is a type confusion weakness in Chromes V8 Javascript engine that can be exploited by crafting HTML pages to trigger a heap overflow.
This is Google Chrome's first publicly reported vulnerability to have an exploit in the wild in 2023. This vulnerability received the most attention in terms of references from security researchers.
Apple
Apple was also a prominent vendor in this months data set. Apple vulnerabilities accounted for 2 of the vulnerabilities with very critical risk scores, which Amnesty International's Security Lab initially reported: CVE-2023-28205 and CVE-2023-28206.
The first vulnerability is a use-after-free vulnerability that if exploited can lead to code execution when processing malicious web content.
The second vulnerability is an out-of-bounds write vulnerability in IOSurfaceAccelerator and WebKit that could lead to data corruption, system crash, and code execution with kernel privileges.
The involvement of Amnesty International would indicate that the flaws are being exploited by nation-state actors, with an engineer from Vulcan Cyber commenting: "While Apple hasn't said much about the exploits, it seems likely, given the reporting and earlier history, that the exploits were deployed by state-level threat actors".
Apple protects users by not disclosing technical details about zero-day vulnerabilities, in order to slow threat actors ability to develop and deploy new exploits that target vulnerable devices.