Microsoft Releases a High January Patchload for the Second Year
The January 2023 Patch Tuesday also marks the end of support for Windows 7, Windows 8.1 and Windows RT 8.1.
In its first Patch Tuesday for December, Microsoft rolled out fixes for 98 security vulnerabilities, one of which is a zero-day flaw. The January 2023 Patch Tuesday also marks the end of support for Windows 7, Windows 8.1 and Windows RT 8.1 with no Extended Security Update (ESU) planned for the popular operating system.
After what has been the second busiest year ever for Microsoft in terms of patches released, Microsoft started 2023 with an unusually high patchload for January. With 98 fixes, the January 2023 Patch Tuesday is even larger than last year’s 97.
“Microsoft has kicked off 2023 with a monster Patch Tuesday – having released fixes for 98 vulnerabilities, to include one actively exploited zero-day,” Saeed Abbasi, manager of vulnerability and threat research at Qualys, told Spiceworks. “Coming off the 2022 calendar year when the industry saw the largest number of zero-days and highest number of vulnerabilities disclosed, this first release indicates that this trend will not slow.”
Of the 98 vulnerabilities, 85 have a CVSS score between 7.0 to 8.9, placing them in the high severity category; 12 have a CVSS score between 4.0 to 6.9, making them moderately severe, while one has a CVSS rating of 3.3, making it low in severity.
However, experts advised prioritizing the patching of a few before others, including one vulnerability in particular, CVE-2023-21674, which not only has a high CVSS score of 8.8 (out of 10) but is also a zero day bug, i.e., it is under active exploitation. Let us look at some of the security bugs administrators should prioritize patching.
CVE-2023-21674
CVE-2023-21674 is an elevation of privilege (EoP) vulnerability existing in Windows Advanced Local Procedure Call (ALPC), the interprocess communication facility provisioned by Microsoft for Windows for high-speed message passing.
“The actively exploited zero-day vulnerability, CVE-2023-21674, allows for escalation of privileges from sandboxed execution inside Chromium to kernel-level execution and SYSTEM privileges by a local attacker. Vulnerabilities of this nature are frequently leveraged in tandem with malware or ransomware delivery,” Abbasi explained.
CVE-2023-21674 has a low attack complexity, requires low privileges, and requires no user interaction to be exploited. It affects all Windows versions starting from Windows 8.1 and Windows Server 2012 R2.
Gina Geisel, product marketing manager at Automox, explained to Spiceworks, “This elevation of privilege vulnerability exists when Windows improperly handles calls to ALPC which enables the elevation of an attacker’s privileges from sandboxed execution inside Chromium to kernel execution and full system privileges.”
“To exploit this vulnerability, an attacker would first have to log on to the system, run a specially crafted application, and then take control of the affected system. A successful attacker could then run arbitrary code in the security context of the local system and install programs enabling them to view, change, or delete data, or, worse case, create new accounts with full user rights,” Geisel added.
CVE-2023-21674 is the fourth vulnerability discovered and now patched in ALPC after CVE-2022-41100, CVE-2022-41045 and CVE-2022-41093.
CVE-2023-21743
“In addition to the disclosed zero-day, there were two critical vulnerabilities to pay close attention to,” Abbasi said, pointing out their significance. “The first was CVE-2023-21743 which affects the security features of Microsoft SharePoint Server – whereby an unauthenticated, remote attacker could exploit this vulnerability to establish an anonymous connection to the SharePoint server, bypassing security measures.”
This security feature bypass (SFB) flaw residing in Microsoft Sharepoint Server has a CVSS score of 8.2. Even though it isn’t publicly disclosed, Microsoft said its exploitation is more likely considering it has a low attack complexity and requires no privileges or target user interaction.
“If an attacker successfully exploits this vulnerability, they can validate the presence or absence of an HTTP endpoint within the blocked IP range. Additionally, the vulnerability requires the attacker to have read access to the target Sharepoint site,” Preetham Gurram, senior product manager at Automox, told Spiceworks. Automox recommends patching this vulnerability within 72 hours.
CVE-2023-21763 and CVE-2023-21764
“The second,” Abbasi continued, “is a Microsoft Exchange Server vulnerability (CVE-2023-21763 and CVE-2023-21764) that would allow an attacker to elevate their privileges due to a failure to patch a previous vulnerability (CVE-2022-41123) properly.”
Both of these flaws have a CVSS rating of 7.8 and require low privileges, no user interaction, and low attack complexity. “An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file path. Both Sharepoint and Exchange are critical tools that many organizations use to collaborate and complete daily tasks – making these vulnerabilities extremely attractive in the eyes of an attacker,” Abbasi added.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, highlighted the prevalence of thousands of unpatched Exchange servers. As of January 9, 2023, there were 62,960 unpatched instances of Exchange servers, up from 57,268 since Spiceworks reported on the matter on January 4, 2023.
CVE-2023-21549
CVE-2023-21549 is an EoP bug residing in Windows Workstation Service that impacts most versions of Windows 7, 8.1, 10, 11 and Server 2012-2022. It has a CVSS score of 8.8, a low attack complexity requiring low privileges and no user interaction.
Still, despite being publicly disclosed, Microsoft said CVE-2023-21549’s exploitation is less likely. “From this, we infer that even if someone tells you where the bug is located and how you might trigger it, figuring out how to exploit the bug successfully and actually achieving an elevation of privilege is going to be difficult,” noted Paul Ducklin, principal research scientist at Sophos.
Microsoft’s January 2023 Patch Tuesday features 39 EoP vulnerabilities, 33 remote code execution (RCE), 10 information disclosure and denial of service flaws each, four SFB and two spoofing bugs. In July 2022, the Redmond-based tech giant released Microsoft Autopatch as a licensed tool for automated updates.
Abbasi concluded, “It is the need of the hour to automate deployment of patches for events with defined schedules (e.g., MSFT Patch Tuesday), so security professionals can focus energy to respond efficiently to unpredictable events that pose a dastardly risk to an organization.”
Mark Lamb, CEO of HighGround.io, told Spiceworks that vulnerability discovery will remain high for the foreseeable future. “In days gone by, this would have been a wakeup call, possibly even a major event, but sadly this is becoming the norm. These are serious vulnerabilities, and there are a high number of them. Even missing one is a serious concern, but could you imagine if you missed 2 or 3 patch cycles like this?” Lamb said.
“It serves as a powerful reminder that cybersecurity problems are here to stay. We must remain vigilant and continue to do these basics right, as poor patching is still one of the most significant causes of cyberattacks.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON VULNERABILITY MANAGEMENT
- Microsoft December Patch Tuesday: Two Zero-Day Bugs And Six Critical Flaws Fixed
- Qualcomm and Lenovo Fix High Severity UEFI Vulnerabilities in Chipsets
- Global Car Brands Had Multiple Hackable Vulnerabilities In Cars And Applications
- New Linux Malware Exploiting 30 Vulnerabilities in WordPress Plugins
