The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a complete of 98 safety flaws, together with one bug that the corporate mentioned is being actively exploited within the wild.
11 of the 98 points are rated Critical and 87 are rated Important in severity, with one of many vulnerabilities additionally listed as publicly recognized on the time of launch. Separately, the Windows maker is predicted to launch updates for its Chromium-based Edge browser.
The vulnerability that is underneath assault pertains to CVE-2023-21674 (CVSS rating: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) that may very well be exploited by an attacker to realize SYSTEM permissions.
“This vulnerability might result in a browser sandbox escape,” Microsoft famous in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.
While particulars of the vulnerability are nonetheless underneath wraps, a profitable exploit requires an attacker to have already obtained an preliminary an infection on the host. It can also be seemingly that the flaw is mixed with a bug current within the net browser to interrupt out of the sandbox and achieve elevated privileges.
“Once the preliminary foothold has been made, attackers will look to maneuver throughout a community or achieve further increased ranges of entry and most of these privilege escalation vulnerabilities are a key a part of that attacker playbook,” Kev Breen, director of cyber menace analysis at Immersive Labs, mentioned.
That having mentioned, the probabilities that an exploit chain like that is employed in a widespread style is restricted owing to the auto-update function used to patch browsers, Satnam Narang, senior employees analysis engineer at Tenable, mentioned.
It’s additionally price noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal businesses to use patches by January 31, 2023.
What’s extra, CVE-2023-21674 is the fourth such flaw recognized in ALPC – an inter-process communication (IPC) facility offered by the Microsoft Windows kernel – after CVE-2022-41045, CVE-2022-41093, and CVE-2022-41100 (CVSS scores: 7.8), the latter three of which had been plugged in November 2022.
Two different privilege escalation vulnerabilities recognized as being of excessive precedence have an effect on Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS scores: 7.8), which stem from an incomplete patch for CVE-2022-41123, in response to Qualys.
“An attacker might execute code with SYSTEM-level privileges by exploiting a hard-coded file path,” Saeed Abbasi, supervisor of vulnerability and menace analysis at Qualys, mentioned in a press release.
Also resolved by Microsoft is a safety function bypass in SharePoint Server (CVE-2023-21743, CVSS rating: 5.3) that might allow an unauthenticated attacker to bypass authentication and make an nameless connection. The tech big famous “clients should additionally set off a SharePoint improve motion included on this replace to guard their SharePoint farm.”
The January replace additional remediates various privilege escalation flaws, together with one in Windows Credential Manager (CVE-2023-21726, CVSS rating: 7.8) and three affecting the Print Spooler element (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).
The U.S. National Security Agency (NSA) has been credited with reporting CVE-2023-21678. In all, 39 of the vulnerabilities that Microsoft closed out in its newest replace allow the elevation of privileges.
Rounding off the listing is CVE-2023-21549 (CVSS rating: 8.8), a publicly recognized elevation of privilege vulnerability within the Windows SMB Witness Service, and one other occasion of safety function bypass impacting BitLocker (CVE-2023-21563, CVSS rating: 6.8).
“A profitable attacker might bypass the BitLocker Device Encryption function on the system storage gadget,” Microsoft mentioned. “An attacker with bodily entry to the goal might exploit this vulnerability to realize entry to encrypted knowledge.”
Lastly, Redmond has revised its steerage relating to the malicious use of signed drivers (referred to as Bring Your Own Vulnerable Driver) to incorporate an up to date block listing launched as a part of Windows safety updates on January 10, 2023.
CISA on Tuesday additionally added CVE-2022-41080, an Exchange Server privilege escalation flaw, to the KEV catalog following studies that the vulnerability is being chained alongside CVE-2022-41082 to realize distant code execution on weak techniques.
The exploit, codenamed OWASSRF by CrowdStrike, has been leveraged by the Play ransomware actors to breach goal environments. The defects had been mounted by Microsoft in November 2022.
The Patch Tuesday updates additionally arrive as Windows 7, Windows 8.1, and Windows RT reached finish of assist on January 10, 2023. Microsoft mentioned it will not offer an Extended Security Update (ESU) program for Windows 8.1, as an alternative urging customers to improve to Windows 11.
“Continuing to make use of Windows 8.1 after January 10, 2023, could enhance a company’s publicity to safety dangers or affect its means to satisfy compliance obligations,” the corporate cautioned.
Software Patches from Other Vendors
In addition to Microsoft, safety updates have additionally been launched by different distributors for the reason that begin of the month to rectify a number of vulnerabilities, together with —