Microsoft Fixes Zero-Day Bug This Patch Tuesday

Written by

Microsoft’s Patch Tuesday release this month included a security update for a Windows zero-day vulnerability being actively exploited in the wild.

The bug in question, CVE-2023-28252, is described as an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver.

No proof of concept has been discovered for the exploit as yet, so Microsoft customers should patch immediately, advised Mike Walters, VP of vulnerability and threat research at Action1.

“This vulnerability has a low complexity and uses a local attack vector, requiring only low privileges to exploit and no interaction from the user. It affects Windows Server versions from 2008 onward, as well as all versions of Windows 10,” he explained.

“The vulnerability has a CVSS risk score of 7.8, which is lower because it can only be executed locally. However, it still poses a high privilege escalation risk because an attacker who successfully exploits it can gain system privileges.”

Dustin Childs, head of threat awareness at the Zero Day Initiative, added that a similar zero-day was patched in the same Windows component just two months ago.

“To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix,” he added.

“As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware. Definitely test and deploy this patch quickly.”

There were updates for a total of seven vulnerabilities rated critical, including CVE-2023-21554, a remote code execution bug in Microsoft Message Queuing which was given a CVSS rating of 9.8.

“It allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications,” explained Childs.

“It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks. However, it’s not clear what impact this may have on operations. Your best option is to test and deploy the update.”

Editorial image credit: rafapress /

What’s hot on Infosecurity Magazine?