Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one that the company said is being actively exploited in the wild.

11 of the 98 issues are rated Critical and 87 are rated Important in severity, with one of the vulnerabilities also listed as publicly known at the time of publication. Separately, the Windows maker is expected to release updates to its Chromium-based Edge browser.

The vulnerability under attack is related to CVE-2023-21674 (CVSS score: 8.8), a privilege escalation flaw in the Windows Advanced Local Procedure Call (ALPC) that could be exploited by an attacker to gain SYSTEM permissions.

“This vulnerability could lead to a browser sandbox escape,” Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek and Przemek Gmerek for reporting the flaw.

While the details of the vulnerability are still under wraps, a successful exploit requires an attacker to have already obtained an initial infection on the host. It is also possible that the flaw is combined with a bug present in the web browser to break out of the sandbox and gain elevated privileges.

“Once the initial baseline is made, attackers will look to move across a network or gain additional higher levels of access, and these types of privilege escalation vulnerabilities are a key part of that attacker’s playbook,” Kev Breen, director of cyber threat research at Immersive Labs, said.

That said, the chances of an exploit chain like this being used in a widespread way are limited due to the auto-update feature used to patch browsers, said Satnam Narang, senior staff research engineer at Tenable.

It’s also worth noting that the US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its catalog of known exploited vulnerabilities (KEV), requiring federal agencies to apply patches by January 31 2023.

Additionally, CVE-2023-21674 is the fourth such flaw identified in ALPC – an inter-process communication (IPC) tool provided by the Microsoft Windows kernel – following CVE-2022-41045, CVE-2022-41093 and CVE-2022 -41100 (CVSS scores: 7.8), the last three of which were closed in November 2022.

Two additional privilege escalation vulnerabilities identified as high priority affect Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS scores: 7.8), which stem from an incomplete patch for CVE -2022-41123, according to Quality. .

“An attacker can execute code with SYSTEM-level privileges by exploiting an encrypted file path,” Saeed Abbasi, manager of vulnerability and threat research at Qualys, said in a statement.

Also resolved by Microsoft is a security feature bypass in SharePoint Server (CVE-2023-21743, CVSS score: 5.3) that could allow an unauthenticated attacker to bypass authentication and make an anonymous connection. The tech giant noted “customers should also enable a SharePoint upgrade action included in this update to protect their SharePoint farm.”

The January update further fixes a number of privilege escalation flaws, including one in Windows Credential Manager (CVE-2023-21726, CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE -2023-21760, and CVE-2023-21765).

The US National Security Agency (NSA) has been assessed with report CVE-2023-21678. In total, 39 of the vulnerabilities Microsoft closed in its latest update enable elevation of privilege.

Rounding out the list is CVE-2023-21549 (CVSS score: 8.8), a publicly known elevation of privilege vulnerability in the Windows SMB Witness Service and another example of a security feature bypass affecting BitLocker (CVE-2023-21563 , CVSS score: 6.8).

“A successful attacker could bypass the BitLocker device encryption feature on the system storage device,” Microsoft said. “An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.”

Recently, Redmond has revised its guidance on malicious use of signed drivers (called Bring Your Own Vulnerable Driver) to include an updated block list released as part of Windows security updates on January 10, 2023.

CISA on Tuesday also added CVE-2022-41080, an Exchange Server privilege escalation flaw, to the KEV catalog following reports that the vulnerability is being chained together with CVE-2022-41082 to achieve remote code execution on vulnerable systems.

The exploit, codenamed OWASSRF by CrowdStrike, was used by Play ransomware actors to breach target environments. The bugs were fixed by Microsoft in November 2022.

The Patch Tuesday updates also arrive after Windows 7, Windows 8.1 and Windows RT reached end of support on January 10, 2023. Microsoft said it will not offer an Extended Security Update (ESU) program for Windows 8.1, instead asking users to upgrade to Windows 11.

“Continued use of Windows 8.1 after January 10, 2023, may increase an organization’s exposure to security risks or affect its ability to meet compliance obligations,” the company warned.

Software patches from other vendors

Apart from Microsoft, security updates have also been released by other vendors since the beginning of the month to patch several vulnerabilities, including –

Did you find this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.