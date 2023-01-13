The first fixes of the Patch Tuesday provided by Microsoft for 2023 fixed a total of 98 security holes, including a bug that Microsoft says is being actively exploited by disreputable people; such big updates on Windows systems occurred last November.

11 of the 98 issues are rated Critical, while 87 are rated “major” in terms of severity, with one of the listed vulnerabilities already publicly known well before the patch was released.

Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.

What problems does Microsoft Patch Tuesday fix?

The vulnerability that is “under attack” refers to CVE-2023-21674 (CVSS score: 8.8), a privilege flaw in Windows Advanced Local Procedure Call (AT THE PC) that could be exploited by an attacker to gain SYSTEM permissions.

“This vulnerability could lead to a leak [di dati] from the browser sandboxMicrosoft said in its filing, crediting Avast researchers including Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.

While details of the vulnerability have not yet been disclosed by Microsoft, a successful exploit requires an attacker to have already gained initial access to the host; it is also likely that the flaw is combined with a bug present in the web browser to get out of the sandbox and get elevated privileges.

“Once the initial foothold was established, the attackers [gli hacker, quindi] they will try to move across a network or gain additional higher levels of access, and these types of privilege escalation vulnerabilities are a key part of that security playbook. [utente] maliciousKev Breen, director of cyber threat research at Immersive Labs said about Patch Tuesday.

That said, the chances of a series of exploits (hence a hacker attack of this type) like this being used in a widespread way are limited due to the auto-update feature used to fix browsers, said Satnam Narang, senior research engineer at tenable.

It is also worth mentioning that the US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its “catalogue of known exploited vulnerabilities” (KEV), urging federal agencies to patch by January 31, 2023.

Additionally, CVE-2023-21674 is the fourth such defect identified in ALPC, an interprocess communication (IPC) function provided by the Microsoft Windows kernel, after CVE-2022-41045, CVE-2022-41093 And CVE-2022. -41100 (CVSS scores: 7.8), the last three of which were connected in November 2022, well before this Patch Tuesday.

Two other vulnerabilities concerning “level” privileges (from local user to administrator to understand us) identified as high priority affect Microsoft Exchange Server (CVE-2023-21763 And CVE-2023-21764CVSS score: 7.8), which are from an incomplete patch for CVE-2022-41123, according to Qualys.

“An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file pathSaeed Abbasi, head of vulnerability and threat research at Qualys, said in a statement.

Microsoft also fixed a security feature bypass in SharePoint Server via Patch Tuesday (CVE-2023-21743CVSS score: 5.3) which could allow an unauthenticated attacker to bypass authentication and establish an anonymous connection.

The Redmond tech giant has announced that “customers also need to trigger an update action by SharePoint included in this update to protect them SharePoint farms“.

The January Patch Tuesday update further fixes a number of system access privilege flaws, including one in the Windows Credential Manager (CVE-2023-21726CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE-2023-21760And CVE-2023-21765).

The United States National Security Agency (NSA) has been accredited under reporting CVE-2023-21678. In all, 39 of the vulnerabilities that Microsoft closed in its latest update allow for elevation of privilege.

To complete the list there is CVE-2023-21549 (CVSS score: 8.8), a publicly known elevation of privilege vulnerability in the Windows SMB Witness service and another instance of security feature bypass impacting BitLocker (CVE-2023-21563CVSS score: 6.8).

“A successful attacker could bypass the BitLocker device encryption feature on the system storage device“, Microsoft said about the Patch Tuesday of these days, adding then that “uAn attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data“.

Finally, Redmond has revisited his guidelines relating toharmful use Of signed drivers (called Bring Your Own Vulnerable Driver) to include a list updated block released as part of Windows security updates on January 10, 2023.

CISA also added it to Patch Tuesday as a bug fix on Tuesday CVE-2022-41080a defect that always concerns privileges, but of Exchange Server, to the KEV catalog following reports according to which the vulnerability has “intertwined” in CVE-2022-41082 to achieve remote code execution on vulnerable systems.

The exploit, codenamed OWASSRF by CrowdStrike, was exploited by Play ransomware authors to breach target environments; these flaws, however, had already been fixed by Microsoft in November 2022.

Patch Tuesday updates also come as Windows 7, Windows 8.1, and Windows RT reached their end of support on January 10, 2023; Microsoft has said it will not offer an Extended Security Update (ESU) program for Windows 8.1, instead urging users to upgrade to Windows 11.

“Continuing to use Windows 8.1 after January 10, 2023 could increase an organization’s exposure to security risks or impact its ability to meet compliance obligations“, has warned about it the society.

Other software also suffers from the Patch Tuesday effect

In addition to Microsoft, security updates have also been released by other vendors since the beginning of the month to fix several vulnerabilities, including: