Microsoft security alert.
April 11, 2023
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 90 vulnerabilities that were fixed in 12 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 12 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft SharePoint Server and Foundation Update for April 2023
- Severity
- Serious 3
- Qualys ID
- 110431
- Vendor Reference
- KB5002373, KB5002375, KB5002381, KB5002383, KB5002385
- CVE Reference
- CVE-2023-28288
- CVSS Scores
- Base 6.8 / Temporal 5.3
- Description
-
Microsoft has released April 2023 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5002375
KB5002373
KB5002383
KB5002385
KB5002381QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Sharepoint via the Windows Registry. Below is the mapping of Filename, patched version and KB details checked for each applicable Product: ONETUTIL.DLL - 16.0.5391.1000 (KB5002385)
ONETUTIL.DLL - 16.0.10397.20002 (KB5002373)
PJINTL.DLL - 16.0.16130.20314 (KB5002375)
ONETUTIL.DLL - 15.0.5545.1000 (KB5002383)
MSOSERVER.DLL - 15.0.5545.1000 (KB5002381) - Consequence
-
Successful exploitation allows spoofing.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
KB5002375
KB5002373
KB5002383
KB5002385
KB5002381
Patches:
The following are links for downloading patches to fix these vulnerabilities:
April 2023
-
Microsoft Office Security Update for April 2023
- Severity
- Critical 4
- Qualys ID
- 110432
- Vendor Reference
- N/A
- CVE Reference
- CVE-2023-28285, CVE-2023-28311
- CVSS Scores
- Base 6.8 / Temporal 5.3
- Description
-
Microsoft has released April 2023 security updates to fix multiple security vulnerabilities.
This security update contains the following:
Office Click-2-Run and Office 365 Release Notes
Release notes for Office for Mac
QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Office via the Windows Registry. The QID checks the file version of "graph.exe" to identify vulnerable versions of Microsft Office. Patched Versions for Microsoft 365 Apps for enterprise, Microsoft 365 Apps for business, Office 2016 Retail (C2R), Office 2019, Office LTSC 2021, and Office 2021 are as follows
Current Channel: Version 2303 - Build 16.016227.20280
Monthly Enterprise Channel: Version 2302 - Build 16.016130.20394
Monthly Enterprise Channel: Version 2301 - Build 16.016026.20274
Semi-Annual Enterprise Channel (Preview: Version 2302 - Build 16.016130.20394
Semi-Annual Enterprise Channel: Version 2208 - Build 16.015601.20626
Semi-Annual Enterprise Channel: Version 2202 - Build 16.014931.20964
Office 2021 Retail: Version 2303 - Build 16.016227.20280
Office 2019 Retail: Version 2303 - Build 16.016227.20280
Office 2016 Retail: Version 2303 - Build 16.016227.20280
Office LTSC 2021 Volume Licensed: Version 2108 - Build 16.014332.20493
Office 2019 Volume Licensed: Version 1808 - Build 16.010397.20021QID Detection Logic (Authenticated):
Operating System: MacOS
The QID checks the installed applications on the MacOS host to find the installed Microsoft Office Apps. Microsoft Office Apps lower than 16.72 are vulnerable. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Office Click-2-Run and Office 365 Release Notes
Release notes for Office for Mac
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft office April 2023
-
Microsoft Publisher Security Update for April 2023
- Severity
- Critical 4
- Qualys ID
- 110433
- Vendor Reference
- KB5002213, KB5002221
- CVE Reference
- CVE-2023-28287, CVE-2023-28295
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft has released April 2023 security updates to fix multiple security vulnerabilities.
This security update contains the following:
Office Click-2-Run and Office 365 Release Notes
Release notes for Office for Mac
KB5002221
KB5002213QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Publisher via the Windows Registry. The QID checks the file version of "mspub.exe" to identify vulnerable versions of Microsft Publisher. Below are the list of Patched Versions:
Microsoft Publisher KB5002213 - 15.0.5545.1000
Microsoft Publisher KB5002221 - 16.0.5391.1000Patched Versions for Microsoft 365 Apps for enterprise, Microsoft 365 Apps for business, Office 2016 Retail (C2R), Office 2019, Office LTSC 2021, and Office 2021 are as follows
Current Channel: Version 2303 - Build 16.016227.20280
Monthly Enterprise Channel: Version 2302 - Build 16.016130.20394
Monthly Enterprise Channel: Version 2301 - Build 16.016026.20274
Semi-Annual Enterprise Channel (Preview: Version 2302 - Build 16.016130.20394
Semi-Annual Enterprise Channel: Version 2208 - Build 16.015601.20626
Semi-Annual Enterprise Channel: Version 2202 - Build 16.014931.20964
Office 2021 Retail: Version 2303 - Build 16.016227.20280
Office 2019 Retail: Version 2303 - Build 16.016227.20280
Office 2016 Retail: Version 2303 - Build 16.016227.20280
Office LTSC 2021 Volume Licensed: Version 2108 - Build 16.014332.20493
Office 2019 Volume Licensed: Version 1808 - Build 16.010397.20021 - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Office Click-2-Run and Office 365 Release Notes
Release notes for Office for Mac
KB5002221
KB5002213Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Publisher April 2023
-
Microsoft Visual Studio Code Security Update for April 2023
- Severity
- Serious 3
- Qualys ID
- 378386
- Vendor Reference
- CVE-2023-24893
- CVE Reference
- CVE-2023-24893
- CVSS Scores
- Base 6.8 / Temporal 5.3
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
Visual studio code prior to version 1.77.1
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of Visual Studio Code.
- Consequence
-
Visual Studio Code is prone to Remote Code Execution Vulnerability
- Solution
-
Customers are advised to refer to CVE-2023-24893 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2023-24893
-
Microsoft .NET Security Update for April 2023
- Severity
- Critical 4
- Qualys ID
- 92000
- Vendor Reference
- CVE-2023-28260
- CVE Reference
- CVE-2023-28260
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft has released a security Update for .NET which resolves Remote Code Execution Vulnerability.
This security update is rated Important for affected versions of .NETAffected versions:
.NET 6.0 before version 6.0.16
.NET 7.0 before version 7.0.5
QID Detection Logic: Authenticated
On Windows, this QID detects vulnerable versions of Microsoft .NET by checking the file version.
On Linux, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in "/usr/share/dotnet/shared/Microsoft.NETCore.App/" and "/root/shared/Microsoft.NETCore.App" folders.
On Mac, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in "/usr/share/dotnet/shared/Microsoft.NETCore.App/" folder.
- Consequence
-
Vulnerable versions of Microsoft .NET are prone to Remote Code Execution Vulnerability.
- Solution
-
Customers are advised to refer to CVE-2023-28260 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2023-28260
-
Microsoft Visual Studio Security Updates for April 2023
- Severity
- Critical 4
- Qualys ID
- 92002
- Vendor Reference
- CVE-2023-28260, CVE-2023-28262, CVE-2023-28263, CVE-2023-28296, CVE-2023-28299
- CVE Reference
- CVE-2023-28260, CVE-2023-28262, CVE-2023-28263, CVE-2023-28296, CVE-2023-28299
- CVSS Scores
- Base 7.2 / Temporal 5.6
- Description
-
Microsoft has released security Updates for Visual Studio which resolve Remote Code Execution, Denial of Service and Escalation of Priviledge Vulnerabilities.
Affected Software:
Microsoft Visual Studio 2022 version 17.5
Microsoft Visual Studio 2022 version 17.4
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft Visual Studio 2022 version 17.0
Microsoft Visual Studio 2022 version 17.2
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
QID Detection Logic: Authenticated : Windows
This QID detects vulnerable versions of Microsoft Visual Studio by checking the registry key "HKLM\SOFTWARE\Microsoft" and file "evenv.exe" to check the version of the Visual Studio.
- Consequence
-
Vulnerable versions of Microsoft Visual Studio are prone to Remote Code Execution, Information Disclosure, Elevation of Privileges, and Spoofing Vulnerabilities.
- Solution
-
Customers are advised to refer to CVE-2023-28299, CVE-2023-28296, CVE-2023-28263, CVE-2023-28262, and CVE-2023-28260 for more information pertaining to these vulnerabilities
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2023-28260
CVE-2023-28262
CVE-2023-28263
CVE-2023-28296
CVE-2023-28299
-
Microsoft Windows Security Update for April 2023
- Severity
- Urgent 5
- Qualys ID
- 92003
- Vendor Reference
- KB5025221, KB5025224, KB5025228, KB5025229, KB5025230, KB5025234, KB5025239, KB5025271, KB5025272, KB5025273, KB5025277, KB5025279, KB5025285, KB5025287, KB5025288
- CVE Reference
- CVE-2023-21727, CVE-2023-21729, CVE-2023-21769, CVE-2023-24883, CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24912, CVE-2023-24914, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-24931, CVE-2023-28216, CVE-2023-28217, CVE-2023-28218, CVE-2023-28219, CVE-2023-28220, CVE-2023-28221, CVE-2023-28222, CVE-2023-28224, CVE-2023-28225, CVE-2023-28226, CVE-2023-28227, CVE-2023-28228, CVE-2023-28229, CVE-2023-28231, CVE-2023-28232, CVE-2023-28233, CVE-2023-28234, CVE-2023-28235, CVE-2023-28236, CVE-2023-28237, CVE-2023-28238, CVE-2023-28240, CVE-2023-28241, CVE-2023-28243, CVE-2023-28244, CVE-2023-28246, CVE-2023-28247, CVE-2023-28248, CVE-2023-28249, CVE-2023-28252, CVE-2023-28253, CVE-2023-28266, CVE-2023-28267, CVE-2023-28268, CVE-2023-28269, CVE-2023-28270, CVE-2023-28271, CVE-2023-28272, CVE-2023-28273, CVE-2023-28274, CVE-2023-28275, CVE-2023-28276, CVE-2023-28293, CVE-2023-28297, CVE-2023-28298, CVE-2023-28302
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Microsoft Windows Security Update - April 2023
Operating Systems: The KB Articles associated with the update:
The patch version is 10.0.19041.2846 KB5025221
The patch version is 10.0.20348.1668 KB5025230
The patch version is 10.0.17763.4252 KB5025229
The patch version is 6.3.9600.20919 KB5025285
The patch version is 6.3.9600.20919 KB5025288
The patch version is 6.2.9200.24216 KB5025287
The patch version is 6.2.9200.24216 KB5025272
The patch version is 6.1.7601.26465 KB5025279
The patch version is 6.1.7601.26465 KB5025277
The patch version is 6.0.6003.22015 KB5025271
The patch version is 6.0.6003.22015 KB5025273
The patch version is 10.0.14393.5850 KB5025228
The patch version is 10.0.10240.19869 KB5025234
The patch version is 10.0.22621.1555 KB5025239
The patch version is 10.0.22000.1817 KB5025224
QID Detection Logic (Authenticated):
This QID checks for the file version of ntoskrnl.exe.
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the following KB Articles associated with the update:
KB5025221
KB5025230
KB5025229
KB5025285
KB5025288
KB5025287
KB5025272
KB5025279
KB5025277
KB5025271
KB5025273
KB5025228
KB5025234
KB5025239
KB5025224
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5025221
KB5025224
KB5025228
KB5025229
KB5025230
KB5025234
KB5025239
KB5025271
KB5025272
KB5025273
KB5025277
KB5025279
KB5025285
KB5025287
KB5025288
-
Microsoft Dynamics 365 Security Update for April 2023
- Severity
- Critical 4
- Qualys ID
- 92004
- Vendor Reference
- CVE-2023-28309, CVE-2023-28314
- CVE Reference
- CVE-2023-28309, CVE-2023-28314
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft Dynamics 365 is a product line of enterprise resource planning and customer relationship management intelligent business applications.
Affected Software:
Microsoft Dynamics 365 (on-premises) V9.1QID Detection Logic(Authenticated):
This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Microsoft.Crm.Setup.Server.exe:
- Consequence
-
Successful exploitation of this vulnerability could lead to some loss of confidentiality and Cross-site Scripting Vulnerability
- Solution
-
Customers are advised to refer to CVE-2023-28314 and CVE-2023-28309 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2023-28309
CVE-2023-28314
-
Microsoft Azure Stack Hub Security Update for April 2023
- Severity
- Critical 4
- Qualys ID
- 92005
- Vendor Reference
- Azure Stack Hub
- CVE Reference
- CVE-2023-21554, CVE-2023-21727, CVE-2023-21729, CVE-2023-21769, CVE-2023-24883, CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24912, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-24931, CVE-2023-28216, CVE-2023-28217, CVE-2023-28218, CVE-2023-28219, CVE-2023-28220, CVE-2023-28221, CVE-2023-28222, CVE-2023-28223, CVE-2023-28224, CVE-2023-28225, CVE-2023-28227, CVE-2023-28228, CVE-2023-28229, CVE-2023-28231, CVE-2023-28232, CVE-2023-28235, CVE-2023-28236, CVE-2023-28237, CVE-2023-28238, CVE-2023-28240, CVE-2023-28241, CVE-2023-28243, CVE-2023-28244, CVE-2023-28247, CVE-2023-28248, CVE-2023-28249, CVE-2023-28250, CVE-2023-28252, CVE-2023-28253, CVE-2023-28254, CVE-2023-28255, CVE-2023-28256, CVE-2023-28266, CVE-2023-28267, CVE-2023-28268, CVE-2023-28269, CVE-2023-28270, CVE-2023-28271, CVE-2023-28272, CVE-2023-28273, CVE-2023-28274, CVE-2023-28275, CVE-2023-28276, CVE-2023-28278, CVE-2023-28293, CVE-2023-28297, CVE-2023-28298, CVE-2023-28302, CVE-2023-28305, CVE-2023-28306, CVE-2023-28307, CVE-2023-28308
- CVSS Scores
- Base 4 / Temporal 3.3
- Description
-
Azure Stack Hub is an extension of Azure that provides a way to run apps in an on-premises environment and deliver Azure services in your datacenter.
A complete Qualys vulnerability scan report for Microsoft Azure Stack Hub can be obtained at Azure Stack Vulnerability Scan Report.
QID Detection Logic (Authenticated):
This QID checks for the file version of ntoskrnl.exe, if this file version is less than 10.0.17763.11389, it is considered as vulnerable.
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Customers are encouraged to connect with Microsoft for obtaining more information about patches and upcoming releases.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Azure Stack Hub
-
Microsoft Windows Domain Name System (DNS) Server Remote Code Execution (RCE) Vulnerability for April 2023
- Severity
- Critical 4
- Qualys ID
- 92006
- Vendor Reference
- KB5025228, KB5025229, KB5025230, KB5025271, KB5025272, KB5025273, KB5025277, KB5025279, KB5025285, KB5025287, KB5025288
- CVE Reference
- CVE-2023-28223, CVE-2023-28254, CVE-2023-28255, CVE-2023-28256, CVE-2023-28277, CVE-2023-28278, CVE-2023-28305, CVE-2023-28306, CVE-2023-28307, CVE-2023-28308
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
Microsoft Windows Domain Name System (DNS) Server Security Update - April 2023
Operating Systems: The KB Articles associated with the update:
5025285
5025288
5025287
5025272
5025279
5025277
5025271
5025273
5025228
5025230
5025229
QID Detection Logic:
Authenticated: This QID checks for the file version of dns.exeUnauthenticated: This QID checks for vulnerable version of Microsoft DNS by checking the DNS version exposed in the banner.
- Consequence
- Successful exploitation of this vulnerability may allow an attacker with specific elevated privileges to execute arbitrary command on the target system.
- Solution
-
Please refer to the following KB Articles associated with the update:
5025285
5025288
5025287
5025272
5025279
5025277
5025271
5025273
5025228
5025230
5025229
Patches:
The following are links for downloading patches to fix these vulnerabilities:
5025228
5025229
5025230
5025271
5025272
5025273
5025277
5025279
5025285
5025287
5025288
-
Microsoft Windows Message Queuing Multiple Vulnerabilities (April 2023)
- Severity
- Critical 4
- Qualys ID
- 92007
- Vendor Reference
- KB5025221, KB5025224, KB5025228, KB5025229, KB5025230, KB5025234, KB5025239, KB5025271, KB5025272, KB5025273, KB5025277, KB5025279, KB5025285, KB5025287, KB5025288
- CVE Reference
- CVE-2023-21554, CVE-2023-28250
- CVSS Scores
- Base 9 / Temporal 7.1
- Description
-
Microsoft Windows Security Update - April 2023
CVE-2023-21554: Microsoft Message Queuing Remote Code Execution Vulnerability CVE-2023-28250: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Operating Systems: The KB Articles associated with the update:
The patch version is 10.0.19041.2846 KB5025221
The patch version is 10.0.20348.1668 KB5025230
The patch version is 10.0.17763.4252 KB5025229
The patch version is 6.3.9600.20919 KB5025285
The patch version is 6.3.9600.20919 KB5025288
The patch version is 6.2.9200.24216 KB5025287
The patch version is 6.2.9200.24216 KB5025272
The patch version is 6.1.7601.26465 KB5025279
The patch version is 6.1.7601.26465 KB5025277
The patch version is 6.0.6003.22015 KB5025271
The patch version is 6.0.6003.22015 KB5025273
The patch version is 10.0.14393.5850 KB5025228
The patch version is 10.0.10240.19869 KB5025234
The patch version is 10.0.22621.1555 KB5025239
The patch version is 10.0.22000.1817 KB5025224
QID Detection Logic (Authenticated):
This QID checks for version of filename %windir%\\system32\\ntoskrnl.exe.
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the following KB Articles associated with the update:
KB5025221
KB5025230
KB5025229
KB5025285
KB5025288
KB5025287
KB5025272
KB5025279
KB5025277
KB5025271
KB5025273
KB5025228
KB5025234
KB5025239
KB5025224
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5025221
KB5025224
KB5025228
KB5025229
KB5025230
KB5025234
KB5025239
KB5025271
KB5025272
KB5025273
KB5025277
KB5025279
KB5025285
KB5025287
KB5025288
-
Microsoft Defender Denial of Service (DoS) Vulnerability for April 2023
- Severity
- Critical 4
- Qualys ID
- 92008
- Vendor Reference
- CVE-2023-24860, CVE-2023-24934
- CVE Reference
- CVE-2023-24860, CVE-2023-24934
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software.
Affected Versions / Software:
Microsoft Malware Protection Engine version prior to Version 1.1.20200.4 QID Detection Logic (Authenticated):
The authenticated check looks for the version of "mpengine.dll" file. - Consequence
-
Successful exploitation of this vulnerability could lead to Denial of Service Vulnerability
- Solution
-
Users are advised to check CVE-2023-24860, CVE-2023-24934 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2023-24860
CVE-2023-24934
These new vulnerability checks are included in Qualys vulnerability signature 2.5.742-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110431
- 110432
- 110433
- 378386
- 92000
- 92002
- 92003
- 92004
- 92005
- 92006
- 92007
- 92008
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.