Patch Tuesday March 2023 – Microsoft Releases Fixes for 23 Vulnerabilities
March Vulnerability Management Highlights
As part of the March vulnerability patching bout, Microsoft has released 23 fixes for Chromium- and OS-based security bugs. The list also features patches for non-Edge vulnerabilities such as the Windows MSHTML Remote Code Execution Vulnerability and the Power BI Report Server spoofing vulnerability. With this in mind, let’s take a closer look at what Patch Tuesday March 2023 has in store for us. Enjoy!
Patch Tuesday March 2023 – Highlights
We’ll start the list with CVE-2023-21805, a Windows MSHTML Platform Remote Code Execution vulnerability. With a CVSS 3.1.7.8 score of 6.8 (i.e. Medium), this defect, which was traced back to a bugged Windows MSHTML Platform component, can potentially allow a threat actor to bypass safeguards and execute arbitrary code on the victim’s machine. A security patch is available on Microsoft’s official website. Next item is CVE-2023-21806, a Power BI Report Server Spoofing vulnerability, with a score of 7.1 (i.e. High) on the CVSS 3.1.8.2 scale.
According to Microsoft, an attacker could potentially trigger a full DOS across the network by passing the victim a specially-crafted package. Upon user interaction, the threat actor would have gained elevated permissions within the domain, allowing him to further exploit this web server vulnerability. Furthermore, per Microsoft’s observations, the threat actor could also tamper with report files, an action that would permit him to JavaScript-based attacks. CVE-2023-2180 has been addressed as part of Patch Tuesday March 2023.
The full list of fixed vulnerabilities can be found below.
| Release Date | CVE Number | CVE Title |
|---|---|---|
| Mar 13, 2023 | CVE-2023-1236 | Chromium: CVE-2023-1236 Inappropriate implementation in Internals |
| Mar 13, 2023 | CVE-2023-1235 | Chromium: CVE-2023-1235 Type Confusion in DevTools |
| Mar 13, 2023 | CVE-2023-1234 | Chromium: CVE-2023-1234 Inappropriate implementation in Intents |
| Mar 13, 2023 | CVE-2023-1233 | Chromium: CVE-2023-1233 Insufficient policy enforcement in Resource Timing |
| Mar 13, 2023 | CVE-2023-1232 | Chromium: CVE-2023-1232 Insufficient policy enforcement in Resource Timing |
| Mar 13, 2023 | CVE-2023-1231 | Chromium: CVE-2023-1231 Inappropriate implementation in Autofill |
| Mar 13, 2023 | CVE-2023-1230 | Chromium: CVE-2023-1230 Inappropriate implementation in WebApp Installs |
| Mar 13, 2023 | CVE-2023-1229 | Chromium: CVE-2023-1229 Inappropriate implementation in Permission prompts |
| Mar 13, 2023 | CVE-2023-1228 | Chromium: CVE-2023-1228 Insufficient policy enforcement in Intents |
| Mar 13, 2023 | CVE-2023-1224 | Chromium: CVE-2023-1224 Insufficient policy enforcement in Web Payments API |
| Mar 13, 2023 | CVE-2023-1223 | Chromium: CVE-2023-1223 Insufficient policy enforcement in Autofill |
| Mar 13, 2023 | CVE-2023-1222 | Chromium: CVE-2023-1222 Heap buffer overflow in Web Audio API |
| Mar 13, 2023 | CVE-2023-1221 | Chromium: CVE-2023-1221 Insufficient policy enforcement in Extensions API |
| Mar 13, 2023 | CVE-2023-1220 | Chromium: CVE-2023-1220 Heap buffer overflow in UMA |
| Mar 13, 2023 | CVE-2023-1219 | Chromium: CVE-2023-1219 Heap buffer overflow in Metrics |
| Mar 13, 2023 | CVE-2023-1218 | Chromium: CVE-2023-1218 Use after free in WebRTC |
| Mar 13, 2023 | CVE-2023-1217 | Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting |
| Mar 13, 2023 | CVE-2023-1216 | Chromium: CVE-2023-1216 Use after free in DevTools |
| Mar 13, 2023 | CVE-2023-1215 | Chromium: CVE-2023-1215 Type Confusion in CSS |
| Mar 13, 2023 | CVE-2023-1214 | Chromium: CVE-2023-1214 Type Confusion in V8 |
| Mar 13, 2023 | CVE-2023-1213 | Chromium: CVE-2023-1213 Use after free in Swiftshader |
| Feb 14, 2023 | CVE-2023-21805 | Windows MSHTML Platform Remote Code Execution Vulnerability |
| Feb 14, 2023 | CVE-2023-21806 | Power BI Report Server Spoofing Vulnerability |
Additional Cybersecurity Advice
This wraps up the spring edition of Heimdal®’s Patch Tuesday updates. As you would expect, here are a couple of things you can try out to bolster your threat defenses and jog up your vulnerability & patch management game.
- Backtracking. There’s no true recipe for flawless patching, which means something’s bound to happen at any time (e.g., unexpected patch failure, connection errors, no mobile control, insufficient privileges, failure to meet regulatory compliance requirements, etc.). Ensure that your backups are up and running if you need to revert the app(s) to a previous version.
- Frequent vulnerability scans. Don’t forget about your vulnerability scanning schedule. The best practice dictates that scanning should occur at least once per month. Don’t forget about documenting your findings.
- Automatic patching. Smaller organizations tend to rely on manual patching in order to deploy all relevant improvement-carrying packages. However, things tend to change a bit when you’re in the shoes of an IT admin catering to the needs of hundreds of users. The best way around this issue is, of course, automatic patching. If configured correctly, an automatic patching solution can ensure timely (and correct) deployment and a low risk of incompatibility. Heimdal®’s Patch & Asset Management can aid you in quickly distributing your patches, regardless if they are OS-specific, 3rd party, proprietary, or UX/UI-oriented.
- (Electronic) paper trail. If you’re managing a team, consider drafting up a list of patching protocols. Include dates, times, Operating Systems, tests, and everything you can think of. Don’t forget to scribble down any modifications made to the software.
- Patch Tuesday, February 2023.
- Heimdal® Cyber Threat Report 2023
- Understanding Critical Event Management and How It Can Help Your Organization
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
