The first Patch Tuesday fixes shipped by Microsoft in 2023 address a total of 98 security flaws, including one bug the company said was actively exploited in the wild.
Of the 98 issues, 11 were rated Critical and 87 were rated Important, and the vulnerabilities were also listed as known at the time of release. Separately, the Windows manufacturer will release an update to its Chromium-based Edge browser.
The vulnerability under attack is related to CVE-2023-21674 (CVSS score: 8.8). CVE-2023-21674 (CVSS score: 8.8) is a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) that an attacker can exploit to gain her SYSTEM privileges.
“This vulnerability could lead to a browser sandbox escape,” Microsoft noted in an advisory, acknowledging Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug. increase.
Details of the vulnerability have not yet been disclosed, but a successful exploit would require the attacker to have an initial infection on the host. This vulnerability could also be combined with a bug in her web browser to break out of the sandbox and gain elevated privileges.
“Once an initial foothold is established, attackers either move across the network or attempt to gain higher levels of access. These types of privilege escalation vulnerabilities are a critical part of an attacker’s strategy. said Kev Breen, Director of Cyber Threat Research. Immersive Labs says:
That said, the potential for widespread use of such exploit chains is limited due to the auto-update feature used to patch browsers, said a senior staff research engineer at Tenable. Satnam Narang said.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by January 31, 2023. It is also worth noting that it prompted
Additionally, CVE-2023-21674 was identified in ALPC, an inter-process communication (IPC) facility provided by the Microsoft Windows kernel, following CVE-2022-41045, CVE-2022-41093, and CVE-2022. Fourth flaw. -41100 (CVSS score: 7.8), the latter three were plugged in Nov 2022.
According to Qualys, two other privilege escalation vulnerabilities identified as high priority affect Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS score: 7.8). .
“An attacker could exploit a hardcoded file path to execute code with SYSTEM-level privileges,” Saeed Abbasi, manager of vulnerability and threat research at Qualys, said in a statement. I’m here.
Microsoft also resolved a security feature bypass (CVE-2023-21743, CVSS score: 5.3) in SharePoint Server that could allow an unauthenticated attacker to bypass authentication and make anonymous connections. I have. “Customers should also trigger the SharePoint Upgrade actions included in this update to protect their SharePoint farms,” the tech giant said.
The January update introduced one (CVE-2023-21726, CVSS score: 7.8) in the Windows Credential Manager and three (CVE-2023-21678, CVE-2023-21760, and CVE- 2023-21765).
The US National Security Agency (NSA) allegedly reported CVE-2023-21678. In total, 39 vulnerabilities addressed by Microsoft in the latest updates allow elevation of privilege.
Rounding out the list are CVE-2023-21549 (CVSS score: 8.8), a known elevation of privilege vulnerability in Windows SMB Witness Service, and another instance of a security feature bypass affecting BitLocker (CVE-2023-21563 , CVSS score: 6.8).
“A successful attacker could bypass the BitLocker Device Encryption feature of system storage devices,” Microsoft said. “An attacker with physical access to the target could exploit this vulnerability to access encrypted data.”
In addition, Redmond identified malicious use of signed drivers (referred to as Bring Your Own Vulnerable Drivers) to include an updated block list released as part of the Windows Security Updates on January 10, 2023. Updated guidance for .
CISA issued CVE-2022-41082, an Exchange Server privilege escalation flaw, on Tuesday following reports that the vulnerability chained together with CVE-2022-41082 to achieve remote code execution on vulnerable systems. Added 41080 to the KEV catalog.
Codenamed OWASSRF by CrowdStrike, the exploit is used by Play ransomware actors to infiltrate target environments. This bug has been fixed by Microsoft in November 2022.
Patch Tuesday updates are also provided as Windows 7, Windows 8.1 and Windows RT reached end of support on January 10, 2023. Upgrade to Windows 11.
“Continuing to use Windows 8.1 after January 10, 2023 may increase your organization’s exposure to security risks or impact your ability to meet your compliance obligations,” the company warns. increase.
Software patches from other vendors
In addition to Microsoft, other vendors have also released security updates since the beginning of the month to fix several vulnerabilities, including:
