Microsoft has patched 77 vulnerabilities in its monthly cycle, including three zero-days rated high severity and that are being exploited.
CVE-2023-21823 is an RCE bug in Windows graphics component that gives an attacker SYSTEM privileges.
Customers are told fixes will ship through the Windows Store if the user has automatic updates enabled; if not, they will have to install the patch manually.
CVE-2023-21715 is a local exploit that would allow an authenticated attacker to bypass Office macro policies that block malicious files.
Meanwhile, CVE-2023-23376 is a local elevation of privilege bug in the Windows common log filesystem driver.
Five patches cover vulnerabilities with CVSS 3.0 scores above 9.
CVE-2023-21808 is a critical-rated vulnerability that allows RCE attacks against Microsoft Word, via a malicious RTF file.
Microsoft said attack vectors include the preview pane.
“An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file," it said.
CVE-2023-21803 is an RCE in the Windows iSCSI discovery service.
“An attacker could exploit the vulnerability by sending a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service on 32-bit machines," Microsoft said.
"An attacker who successfully exploited the vulnerability could then gain the ability to execute code on the target system."
There are also three vulnerabilities in the Windows Protected Extensible Authentication Protocol (PEAP) with CVSS scores of 9.8.
Two of them, CVE-2023-21692 and CVE-2023-21690, provide an attack vector to PEAP servers by sending crafted PEAP packets over the network; while CVE-2023-21689 lets the attacker “target the server accounts in an arbitrary or remote code execution and attempt to trigger malicious code in the context of the server's account through a network call.”