As part of the March vulnerability patching bout, Microsoft has released 23 fixes for Chromium- and OS-based security bugs. The list also features patches for non-Edge vulnerabilities such as the Windows MSHTML Remote Code Execution Vulnerability and the Power BI Report Server spoofing vulnerability. With this in mind, let’s take a closer look at what Patch Tuesday March 2023 has in store for us. Enjoy!

Patch Tuesday March 2023 – Highlights

We’ll start the list with CVE-2023-21805, a Windows MSHTML Platform Remote Code Execution vulnerability. With a CVSS score of 6.8 (i.e. Medium), this defect, which was traced back to a bugged Windows MSHTML Platform component, can potentially allow a threat actor to bypass safeguards and execute arbitrary code on the victim’s machine. A security patch is available on Microsoft’s official website. Next item is CVE-2023-21806, a Power BI Report Server Spoofing vulnerability, with a score of 7.1 (i.e. High) on the CVSS scale.

According to Microsoft, an attacker could potentially trigger a full DOS across the network by passing the victim a specially-crafted package. Upon user interaction, the threat actor would have gained elevated permissions within the domain, allowing him to further exploit this web server vulnerability. Furthermore, per Microsoft’s observations, the threat actor could also tamper with report files, an action that would permit him to JavaScript-based attacks. CVE-2023-2180 has been addressed as part of Patch Tuesday March 2023.

The full list of fixed vulnerabilities can be found below.

Release Date
CVE Number
CVE Title
Mar 13, 2023
Chromium: CVE-2023-1236 Inappropriate implementation in Internals
Mar 13, 2023
Chromium: CVE-2023-1235 Type Confusion in DevTools
Mar 13, 2023
Chromium: CVE-2023-1234 Inappropriate implementation in Intents
Mar 13, 2023
Chromium: CVE-2023-1233 Insufficient policy enforcement in Resource Timing
Mar 13, 2023
Chromium: CVE-2023-1232 Insufficient policy enforcement in Resource Timing
Mar 13, 2023
Chromium: CVE-2023-1231 Inappropriate implementation in Autofill
Mar 13, 2023
Chromium: CVE-2023-1230 Inappropriate implementation in WebApp Installs
Mar 13, 2023
Chromium: CVE-2023-1229 Inappropriate implementation in Permission prompts
Mar 13, 2023
Chromium: CVE-2023-1228 Insufficient policy enforcement in Intents
Mar 13, 2023
Chromium: CVE-2023-1224 Insufficient policy enforcement in Web Payments API
Mar 13, 2023
Chromium: CVE-2023-1223 Insufficient policy enforcement in Autofill
Mar 13, 2023
Chromium: CVE-2023-1222 Heap buffer overflow in Web Audio API
Mar 13, 2023
Chromium: CVE-2023-1221 Insufficient policy enforcement in Extensions API
Mar 13, 2023
Chromium: CVE-2023-1220 Heap buffer overflow in UMA
Mar 13, 2023
Chromium: CVE-2023-1219 Heap buffer overflow in Metrics
Mar 13, 2023
Chromium: CVE-2023-1218 Use after free in WebRTC
Mar 13, 2023
Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting
Mar 13, 2023
Chromium: CVE-2023-1216 Use after free in DevTools
Mar 13, 2023
Chromium: CVE-2023-1215 Type Confusion in CSS
Mar 13, 2023
Chromium: CVE-2023-1214 Type Confusion in V8
Mar 13, 2023
Chromium: CVE-2023-1213 Use after free in Swiftshader
Feb 14, 2023
Windows MSHTML Platform Remote Code Execution Vulnerability
Feb 14, 2023
Power BI Report Server Spoofing Vulnerability

Additional Cybersecurity Advice

This wraps up the spring edition of Heimdal®’s Patch Tuesday updates. As you would expect, here are a couple of things you can try out to bolster your threat defenses and jog up your vulnerability & patch management game.

  1. Backtracking. There’s no true recipe for flawless patching, which means something’s bound to happen at any time (e.g., unexpected patch failure, connection errors, no mobile control, insufficient privileges, failure to meet regulatory compliance requirements, etc.). Ensure that your backups are up and running if you need to revert the app(s) to a previous version.
  2. Frequent vulnerability scans. Don’t forget about your vulnerability scanning schedule. The best practice dictates that scanning should occur at least once per month. Don’t forget about documenting your findings.
  3. Automatic patching. Smaller organizations tend to rely on manual patching in order to deploy all relevant improvement-carrying packages. However, things tend to change a bit when you’re in the shoes of an IT admin catering to the needs of hundreds of users. The best way around this issue is, of course, automatic patching. If configured correctly, an automatic patching solution can ensure timely (and correct) deployment and a low risk of incompatibility. Heimdal®’s Patch & Asset Management can aid you in quickly distributing your patches, regardless if they are OS-specific, 3rd party, proprietary, or UX/UI-oriented.
  4. (Electronic) paper trail. If you’re managing a team, consider drafting up a list of patching protocols. Include dates, times, Operating Systems, tests, and everything you can think of. Don’t forget to scribble down any modifications made to the software.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Leave a Reply

Your email address will not be published. Required fields are marked *