Microsoft first Patch Tuesday patches for 2023 targeted a total of 98 security holes, including one that the firm said is being actively exploited in the wild.
11 of the 98 flaws are classified as Critical, while the remaining 87 are classified as Important, with one of the vulnerabilities identified as publicly known at the time of release. In addition, Microsoft is anticipated to deliver upgrades for its Chromium-based Edge browser.
The exploited vulnerability is CVE-2023-21674 (CVSS score: 8.8), a privilege escalation problem in Windows Advanced Local Procedure Call (ALPC) that an attacker might exploit to obtain SYSTEM permissions.
“This vulnerability might lead to a browser sandbox escape,” Microsoft said in an alert, citing Avast researchers Jan Vojtek, Milánek, and Przemek Gmerek as having discovered the flaw.
While the specifics of the vulnerability are yet unknown, a successful exploit needs an attacker to have previously infected the host. It is also possible that the weakness is paired with a defect in the web browser in order to escape the sandbox and get higher access.
Read also : Honor Pad 8 Review
“Once an attacker has gained a foothold, they will try to travel across a network or get further higher levels of access, and these sorts of privilege escalation vulnerabilities are a significant element of that attacker playbook,” says the report. Immersive’s labs director of cyber threat research, Kev Breen said.
Having said that, the possibilities of an attack chain like this being utilized widely are restricted due to the auto-update function used to fix browsers, according to Satnam Narang, senior staff research engineer at Tenable.
It’s also worth mentioning that the United States Cybersecurity and Infrastructure Security Agency (CISA) has included the vulnerability to its list of Known Exploited Vulnerabilities (KEV), encouraging government agencies to install fixes by January 31, 2023.
Furthermore, CVE-2023-21674 is the fourth such weakness discovered in ALPC, a Microsoft Windows kernel inter-process communication (IPC) feature, following CVE-2022-41045, CVE-2022-41093, and CVE-2022-41100 (CVSS scores: 7.8), all of which were patched in November 2022.
According to Qualys, two further high-privilege escalation vulnerabilities impact Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS scores: 7.8) and are caused by an insufficient patch for CVE-2022-41123.
“An attacker might execute code with SYSTEM-level privileges by exploiting a hard-coded file path,” said Saeed Abbasi, Qualys’ manager of vulnerability and threat research.
Microsoft also fixed a security feature bypass in SharePoint Server (CVE-2023-21743, CVSS score: 5.3) that might allow an unauthenticated attacker to bypass authentication and connect anonymously. “Customers must additionally perform a SharePoint upgrade action contained in this release to secure their SharePoint farm,” according to the tech giant.
The January update addresses three more privilege escalation problems, one in Windows Credential Manager (CVE-2023-21726, CVSS score: 7.8) and three in the Print Spooler component (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).
CVE-2023-21678 was reported by the United States National Security Agency (NSA). In all, 39 of the vulnerabilities addressed by Microsoft’s newest patch allow for privilege escalation.
CVE-2023-21549 (CVSS score: 8.8), a widely known elevation of privilege vulnerability in the Windows SMB Witness Service, and another instance of security feature bypass affecting BitLocker, rounds off the list (CVE-2023-21563, CVSS score: 6.8).
“A successful attacker might circumvent the BitLocker Device Encryption feature on the system storage device,” according to Microsoft. “With physical access to the target, an attacker might exploit this vulnerability to get access to encrypted data.”
Finally, Microsoft has updated its guidelines on malicious usage of signed drivers (dubbed Bring Your Own Vulnerable Driver) to include an updated block list that will be provided as part of Windows security upgrades on January 10, 2023.
CISA also added CVE-2022-41080, an Exchange Server privilege escalation problem, to the KEV catalog on Tuesday, after reports that it is being chained with CVE-2022-41082 to allow remote code execution on susceptible servers.
CrowdStrike’s OWASSRF attack has been used by the Play ransomware perpetrators to infiltrate target environments. Microsoft patched the flaws in November 2022.
Patch Tuesday updates are also arriving when Windows 7, Windows 8.1, and Windows RT reach end-of-life on January 10, 2023. Microsoft has announced that it would not provide an Extended Security Update (ESU) program for Windows 8.1, instead encouraging consumers to upgrade to Windows 11.
“Using Windows 8.1 beyond January 10, 2023 may raise an organization’s vulnerability to security threats or harm its ability to satisfy compliance responsibilities,” the firm said.
Software Patches from Other Vendors
Other companies, in addition to Microsoft, have provided security upgrades since the beginning of the month to address a number of vulnerabilities, including :
- Adobe
- AMD
- Android
- Cisco
- Citrix
- Dell
- F5
- Fortinet
- GitLab
- Google Chrome
- HP
- IBM
- Intel
- Juniper Networks
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- Qualcomm
- SAP
- Schneider Electric
- Siemens
- Synology
- Zoom, and
- Zyxel
