Microsoft released updates resolving 97 new CVEs and five older CVEs in the April Patch Tuesday release. Seven CVEs are rated as critical this month. The updates affect the Windows OS, Microsoft Office and 365 Apps, .Net Core, Visual Studio, Azure Machine Learning and Service Connector and updates for SQL Server and Microsoft ODBC and OLE DB. 

There’s a new confirmed exploited vulnerability (CVE-2023-28252) resolved in the Windows OS update this month and Microsoft has updated the affected products list for CVE-2013-3900, a previously resolved vulnerability that has been confirmed to be exploited. 

Microsoft updated the affected products list for a WinVerifyTrust Signature Validation vulnerability (CVE-2013-3900). The vulnerability has been publicly disclosed and has confirmed exploits in the wild. No changes have been made to the guidance from Microsoft. The April update just adds Server Core editions to the affected products list. 

Microsoft has resolved an Elevation of Privilege vulnerability in Windows Common Log File System Driver (CVE-2023-28252) that if successfully exploited could allow the attacker to gain SYSTEM privileges. The vulnerability has been confirmed to be exploited in the wild. The vulnerability is rated as Important and affects all currently supported versions of the Windows OS. 

Microsoft has resolved a vulnerability in SQL Server which could allow Remote Code Execution (CVE-2023-23384). The vulnerability is rated as Important and has a CVSS v3.1 score of 7.3. The crash required to exploit the vulnerability would not be easily achieved, but the attack could be attempted over the network as an unauthenticated user. 

Azure vulnerabilities

Microsoft has resolved two Azure vulnerabilities this month. Depending on your configuration you may need to take manual steps to resolve these vulnerabilities. 

The first is a Security Feature Bypass in Azure Service Connector (CVE-2023-28300). In order to gain unauthorized access to the target environment the attacker must have RBAC Reader role access or above and would need to chain additional vulnerabilities. The Azure Service Connector updates when Azure Command-Line Interface is updated to the latest version. If you have automatic updates enabled (not enabled by default), no action is needed. If you prefer to manually update Microsoft has an update article for the CLI

The second is an Information Disclose vulnerability in Azure Machine Learning (CVE-2023-28312). The vulnerability could allow an attacker to disclose system logs but would not allow ability to modify data or make the service unavailable. To update the Azure Machine Learning Compute Instance you will need to reference Microsoft’s guidance. If a compute instance currently exists it will be overwritten by applying the update command. 

Microsoft has resolved a Remote Code Execution vulnerability in Raw Image Extension Code (CVE-2023-28291), a Microsoft Store app. The store app should automatically update, but if you are running a disconnected environment the app would not be automatically updated. 

Third-party updates 

  • Apple released updates resolving two exploited Zero day vulnerabilities (CVE-2023-28205 and CVE-2023-28206). The vulnerabilities affect macOS, iOS and iPad OS. Apple started releasing updates on April 7, 2023. More details can be found on the following release pages: MacOS 13.3.1, iOS 16.4.1 and iPad OS 16.4.1, macOS 12.6.5 and 11.7.6, iOS/iPad 15.7.5 and Safari 16.4.1. A CISA advisory on April 7 warned of the active exploits of the two Apple CVEs and three additional 2021 CVEs for Veritas Backup Exec. 
  • Mozilla Firefox 112 and Firefox ESR 102.10 were released resolving 22 unique vulnerabilities, including eight high severity vulnerabilities. 
  • Adobe released an update for Acrobat and Reader (APSB23-24). The update is a priority 3 resolving 16 CVEs, 14 of which are rated as Critical.
  • Oracle CPU will be releasing on April 18. This will include many Oracle solutions including Java. After the Oracle Java release there is a stream of additional updates that will occur. RedHat OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Adoptium, Adopt OpenJDK and other Java frameworks will all begin updating once the Oracle Java release is out. Keep that in mind as you begin your maintenance this cycle. 

Prioritization guidance

  • The Windows OS update should be the top priority this month for Microsoft updates to respond to the Zero day exploit (CVE-2023-28252).
  • Apple updates for macOS, iPad OS, iOS and Safari should also be on top of your priority list to respond to the pair of Zero day exploits (CVE-2023-28205 and CVE-2023-28206)
  • Updates for Microsoft Office, Mozilla Firefox and Adobe Acrobat and Reader should be secondary priorities. No active exploits or public disclosures have been reported at this time, but these are more commonly targeted applications and typically have a low risk of impacting users when updated.