Microsoft Tops April List of 2,200 Vulnerabilities


Recorded Future has released its April 2023 CVE Monthly report which identifies a total of approximately 2,200 vulnerabilities, mostly across major software vendors such as Microsoft, Apple and Google, and impacting both consumer and enterprise users in Australia.

Nikolas Kalogirou, Country Manager, ANZ for Recorded Future commented“This month again we’re seeing major technology and software companies serving thousands of organisations and millions of users around the world, including in Australia, impacted”.

“I urge organisations in Australia, especially in critical industries and/or with large contingents of remote workers using mobile devices, to pay very close attention to the top 15 high risk vulnerabilities we have identified across Microsoft, Apple and Google. They need to work with their security teams to audit their systems and be very proactive about putting in place the required patching measures”.

Key findings include:

  • Major software vendors disclosed 7 zero-day vulnerabilities in April 2023, including security features, access control components, sandboxing environments, and operating systems.
  • 15 of the approximately 2,200 vulnerabilities disclosed were high-risk
  • Consistently with recent months Microsoft was once again the most prominent vendor, accounting for 3 high-risk vulnerabilities, while Google Chrome is for the first time publicly reporting a vulnerability that has an exploit in the wild in 2023
  • One of the Microsoft vulnerabilities is currently being exploited in the wild for privilege escalation by the Nokoya ransomware group
  • According to some experts, the involvement of Amnesty International in some of the Apple vulnerabilities would suggest that the flaws are being exploited by nation-state actors.
  • One of the Google vulnerabilities received the most attention in terms of references from security researchers this month, according to Recorded Future’s data set on the Recorded Future Intelligence Cloud.

Here’s a full summary of the key insights from the report (see full report attached)

  • Recorded Future identified 15 newly disclosed vulnerabilities with high risk scores for April 2023, 6 of which are zero-day vulnerabilities affecting Microsoft, Apple, and Google.
  • The 3 vulnerabilities that attracted some of the highest attention from security researchers according to Recorded Future’s dataset were: 
    • CVE-2023-28252, an out-of-bounds write vulnerability in Windows Common Log File System. The flaw has been exploited to ultimately deploy Nokoyawa ransomware payloads.
    • CVE-2023-2033, a type confusion vulnerability in Google Chrome’s V8 Javascript engine.
    • CVE-2023-28206, an out-of-bounds write vulnerability in Apple’s IOSurfaceAccelerator and WebKit.
  • Microsoft 
    • On April 11, 2023, Microsoft disclosed a remote code execution (RCE) vulnerability tracked as CVE-2023-28311. A threat actor could execute arbitrary code on a system through the vulnerability in Microsoft Office if a victim opens a specially crafted file. This vulnerability can then be exploited to run unauthorized code on the system.
    • Microsoft released a second advisory on April 11, 2023, regarding a zero-day vulnerability in the Windows Common Log File System (CLFS). The vulnerability, tracked as CVE-2023-28252, is an out-of-bounds write vulnerability that allows an authenticated threat actor to gain SYSTEM privileges. A threat actor could exploit the vulnerability by manipulating base log files and this vulnerability is currently being exploited in the wild for privilege escalation by the Nokoya ransomware group
    • Check Point Research identified a vulnerability tracked as CVE-2023-21554 in Microsoft Message Queuing Service (MSMQ), which may allow arbitrary code execution and denial-of-service (DoS) of Windows service processes.
  • Google 
    • Google issued 2 updates to address the Chrome vulnerability CVE-2023-2033 on April 14, 2023. The vulnerability is a type confusion weakness in Chrome’s V8 Javascript engine that can be exploited by crafting HTML pages to trigger a heap overflow.
    • This is Google Chrome’s first publicly reported vulnerability to have an exploit in the wild in 2023
    • This vulnerability received the most attention in terms of references from security researchers this month, according to our data set on the Recorded Future Intelligence Cloud.
  • Apple 
    • Apple was also a prominent vendor in this month’s data set. Apple vulnerabilities accounted for 2 of the vulnerabilities with very critical risk scores, which Amnesty International’s Security Lab initially reported: CVE-2023-28205 and CVE-2023-28206.
    • The first vulnerability is a use-after-free vulnerability that if exploited can lead to code execution when processing malicious web content.
    • The second vulnerability is an out-of-bounds write vulnerability in IOSurfaceAccelerator and WebKit that could lead to data corruption, system crash, and code execution with kernel privileges.
    • The involvement of Amnesty International would indicate that the flaws are being exploited by nation-state actors, with an engineer from Vulcan Cyber commenting: “While Apple hasn’t said much about the exploits, it seems likely, given the reporting and earlier history, that the exploits were deployed by state-level threat actors”. Apple protects users by not disclosing technical details about zero-day vulnerabilities, in order to slow threat actors’ ability to develop and deploy new exploits that target vulnerable devices.

You can read the full report here.