Microsoft's April 2023 Patch Tuesday announcement covered security updates including an actively exploited the zero-day vulnerability and a total of 97 flaws. The breakdown of these flaws are as follows:
- 20 Elevation of Privilege Vulnerabilities
- 8 Security Feature Bypass Vulnerabilities
- 45 Remote Code Execution Vulnerabilities
- 10 Information Disclosure Vulnerabilities
- 9 Denial of Service Vulnerabilities
- 6 Spoofing Vulnerabilities
Individual descriptions of these vulnerabilities are shared at bleepingcomputer.com here. Please note that because they allow remote code execution, 7 of these vulnerabilities are marked as critical.
Regarding the zero-day vulnerability, the Microsoft advisory explains that an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability specifically relates to the Windows CLFS driver that elevates privileges to SYSTEM which is the highest level in Windows. If the patch has not yet been installed, it is highly recommended that you speak with your IT team.
Additionally, as reported here, the April Windows 11 22H2 KB5025239 update fixed:
- A bug causing Microsoft PowerPoint to stop responding when using accessibility tools
- The ability for Microsoft Narrator to read dropdown lists in Microsoft Excel
- A bug in Windows Notepad that prevented all available Settings options from being displayed
It is recommended that you update your Microsoft products with the latest security patch. Have questions about updating your Microsoft environment? Contact PCS today.