Microsoft and Apple Go Head-to-Head in Epic Patch Battle of April 2023

Yesterday, Microsoft released software updates to address 100 security holes in its Windows operating systems and other software. This includes a zero-day vulnerability that is currently being used in active attacks. Meanwhile, Apple has also released a critical set of updates that address two zero-day vulnerabilities used in attacks targeting iPhones, iPads, and Macs.

Apple has released emergency security updates on April 7 to fix two active vulnerabilities. CVE-2023-28206 can be exploited by apps to take control of a device, while CVE-2023-28205 can be used by a malicious or hacked website to install code. These vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.5.7, and macOS 12.6.5 and 11.7.6. It's recommended that Apple device users enable automatic updates, as detailed instructions on how to exploit CVE-2023-28206 are now public.

In a similar vein, Microsoft has also released a slew of 100 security updates on the same day, including CVE-2023-28252, a vulnerability in Windows that is currently under active attack. The vulnerability is in the Windows Common Log System File System (CLFS) driver, a core Windows component that was previously targeted by attacks in February 2023.

According to Dustin Childs at the Trend Micro Zero Day Initiative, "If it seems familiar, that's because there was a similar 0-day patched in the same component just two months ago. To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix." There is no information about the extent of these attacks, but this type of exploit is typically paired with a code execution bug to spread malware or ransomware.

According to Qualys, a security firm, cybercriminals are using CVE-2023-28252 to deploy Nokoyawa ransomware. This new strain is believed to be linked to Hive ransomware, which was responsible for breaching over 300 organizations in a few months last year. Targets have been observed in South and North America, regions across Asia, and organizations in the Middle East. It is still unclear which threat actor is targeting this vulnerability.

CVE-2023-28252 is the second CLFS zero-day disclosed to Microsoft by researchers from Mandiant and DBAPPSecurity (CVE-2022-37969), although it's unclear if both are related to the same attacker. Microsoft has fixed 100 vulnerabilities, seven of which are rated "Critical" and 90 are rated "Important." Nearly 90% of the vulnerabilities are rated as "Exploitation Less Likely," while just 9.3% are rated as "Exploitation More Likely."

CVE-2023-28231, a remote code execution vulnerability in a core Windows network process, has a CVSS score of 8.8 and requires an attacker to have already gained initial access to the network. Meanwhile, CVE-2023-28220 and CVE-2023-28219 are a pair of remote code execution vulnerabilities affecting Windows Remote Access Servers (RAS). Breen from Immersive Labs has warned that RAS servers typically have direct access from the Internet, making them highly tempting for attackers.