Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.
Seven of the 97 bugs are rated Critical and 90 are rated Important in severity.
Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities.
The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.
According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.
In light of ongoing exploitation of the flaw, CISA has added the Windows zero-day to its catalog of Known Exploited Vulnerabilities (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.
Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).
The MSMQ bug could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.
The vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801.
In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability.
Two other flaws discovered in MSMQ could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death (BSoD).
Microsoft has also updated its advisory for CVE-2013-3900, a 10-year-old WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions -
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x65-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service 1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019, and
Windows Server 2022
The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.
Some indicators of compromise (IoCs) include recently created and locked bootloader files in the EFI system partition (ESP), event logs associated with the stoppage of Microsoft Defender Antivirus, presence of the staging directory ESP:/system32/, and modifications to the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity.
"UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms," the Microsoft Incident Response team said.
Microsoft has further recommended that organizations remove compromised devices from the network and examine them for evidence of follow-on activity, reformat or restore the machines from a known clean backup that includes the EFI partition, maintain credential hygiene, and enforce the principle of least privilege (PoLP).