Patches have been released to fix almost 100 vulnerabilities on January 2023 Patch Tuesday, including one actively exploited zero-day Windows Advanced Local Procedure Call (ALPC) elevation of privilege vulnerability and another zero-day that has been publicly disclosed. In total, 98 vulnerabilities have been fixed, 11 of which are rated critical, 7 of which are remote code execution vulnerabilities and 4 are elevation of privilege vulnerabilities. The remaining 87 vulnerabilities are rated important.
The actively exploited zero-day vulnerability in Windows ALPC – tracked as CVE-2023-21674 – has been rated important by Microsoft, but is a high-severity flaw with a CVSS v3 score of 8.8. The flaw can be exploited to allow sandbox escape, allowing a malicious actor to gain SYSTEM privileges on Windows and Windows Server installations. While Microsoft did not disclose how this vulnerability is being exploited, these flaws are often exploited to deliver malware or ransomware, with early exploitation typically by advanced persistent threat (APT) actors. Consequently, this vulnerability should be prioritized.
The second zero-day vulnerability is a Windows SMB Witness Service elevation of privilege vulnerability tracked as CVE-2023-21549 which has similarly been rated important. This is a high-severity vulnerability with a CVSS score of 8.8. Exploitation has a low complexity and requires no user interaction, which can be achieved via a specially crafted script that executes an RPC call to an RPC host. This would allow a malicious actor to execute RPC functions that are normally restricted to privileged accounts.
The critical vulnerabilities are:
- Microsoft Office SharePoint – Security feature bypass vulnerability: CVE-2023-21743
- Windows Cryptographic Services – Elevation of privilege vulnerabilities: CVE-2023-21551, CVE-2023-21561, CVE-2023-21730
- Windows Layer 2 Tunneling Protocol (L2TP) – Remote code execution vulnerabilities: CVE-2023-21556, CVE-2023-21555, CVE-2023-21543, CVE-2023-21546, CVE-2023-21679
- Windows Secure Socket Tunneling Protocol (SSTP) – Remote code execution vulnerabilities: CVE-2023-21548, CVE-2023-21535
The Microsoft Office SharePoint vulnerability, CVE-2023-21743, allows a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server, although read access to the SharePoint site would be required.
Support Ends for Windows 7 & and Windows 8.1
Windows 7 and Windows 8.1 users have been reminded once again that extended support for the operating systems has come to an end. The last security updates for these operating systems were released on January 10, 2023. Users will need to upgrade to later versions; however, Microsoft has warned that users that are considering upgrading to Windows 10 should be aware that support for the operating system will only be provided for two years. The Windows 10 end-of-support date is October 14, 2025. It should be noted that many devices will not meet the hardware requirements for Windows 11, so will need to be replaced/upgraded.
Adobe Fixes 29 Vulnerabilities
Adobe released patches to fix 29 vulnerabilities on January 2023 Patch Tuesday for Adobe Acrobat, Adobe Reader, Adobe Design, Adobe In-Copy, and Adobe Dimension, all of which have been assigned a patching priority of 3.
15 patches have been released to fix vulnerabilities in Adobe Acrobat and Reader, with CVSS severity scores ranging from 5.5 to 7.8. Adobe In-Design and Adobe In-Copy each have 6 patches, with the severity scores ranging from 5.5 to 7.8. Adobe Dimension gets 2 patches to fix two 5.5 severity vulnerabilities.