Microsoft’s first Patch Tuesday of 2023 delivers a massive 98 fixes

Windows and Office admins get a busy begin to 2023, with Microsoft releasing 98 safety fixes for its platforms — that is a huge haul when in comparison with most Patch Tuesdays and nearly double the quantity it turned out leading into the vacation season.

January 2023 Patch Tuesday addresses two zero-day flaws however just one of them is understood to be actively exploited, which is the essential Windows flaw, tracked as CVE-2023-21674. This flaw permits an attacker with native privileges to raise to system, the very best stage of privileges. It has a CVSSv3 severity rating of 8.8 out of 10. 

Notably, this flaw impacts the Windows Advanced Local Procedure Call (ALPC) and, as Rapid7’s Greg Wiseman notes, is reminiscent of an ALPC zero-day in September 2018 that was swiftly employed in malware campaigns. 

“Given its low assault complexity, the existence of purposeful proof-of-concept code, and the potential for sandbox escape, this can be a vulnerability to maintain a shut eye on,” notes Wiseman.

The flaw was discovered by malware analysts at Avast, Jan Vojtěšek, Milánek, and Przemek Gmerek. 

SEE: Cybersecurity: These are the new things to worry about in 2023

The second flaw impacts Windows SMB Witness Service, tracked as CVE-2023-21674, and can be an elevation of privilege vulnerability with a severity rating of 8.8. Microsoft considerers exploitation to be “much less doubtless”, though particulars of it have been publicly disclosed. 

Zero Day Initiative’s Dustin Childs notes this Patch Tuesday is the biggest from Microsoft in a January launch for fairly a while. Among them are 11 essential flaws and 87 are rated as essential. 

The essential flaws embody 5 Windows (*98*) 2 Tunneling Protocol (L2TP) Remote Code Execution (RCE) Vulnerabilities (tracked as CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556, and CVE-2023-21679). These flaws have been reported by third-party researchers. 

Microsoft Offensive Research and Security Engineering (MORSE) discovered a essential elevation of privilege flaw in Microsoft Cryptographic Services, tracked as CVE-2023-21730.

SEE: Cybersecurity, cloud and coding: Why these three skills will lead demand in 2023

Two extra essential flaws (CVE-2023-21548 and CVE-2023-21535) have been distant code execution vulnerabilities affecting the Windows Security Socket Tunneling Protocol (SSTP). Both have been reported by Yuki Chen of Cyber KunLun, who additionally reported 4 of the 5 L2TP RCE bugs.  

Rapid7’s Wiseman factors out that 5 flaws this month affected Microsoft Exchange Server. These have been all rated as essential however may give admins the proof push for the elimination of on-premise Exchange Servers. Earlier this month, safety analysis group Shadowserver reported that there have been 70,000 unpatched Exchange Servers uncovered on the web to focus on what number of have been doubtless nonetheless susceptible to 2 Exchange Server zero-day flaws Microsoft patched in November, dubbed ProxyNotShell.

Some patches fail, too: Childs notes that two of the Exchange Server flaws — CVE-2023-21763 and CVE-2023-21764 — are the outcome of Microsoft releasing a failed patch for the Exchange Server flaw, CVE-2022-41123, in November.     

“If you are operating Exchange on-prem, please check and deploy all of the Exchange fixes shortly, and hope that Microsoft mounted these bugs appropriately this time,” Child notes. 

Exchange Server got here into focus after Microsoft patched 4 zero-day flaws, referred to as ProxyShell, affecting the on-premise electronic mail server in early 2021. It was the first time Google Project Zero had seen Exchange Server zero days detected because it started monitoring them in 2014.    

Finally, the January 2023 patch replace is the last time Microsoft will release patches under the Windows 7 Extended Service Update (ESU) program. Also accessible are the ultimate ESU releases for Windows Server 2008 and the final patches for Windows 8.1.