The first Patch Tuesday patches shipped by Microsoft for 2023 resolved a total of 98 security vulnerabilitiesincluding a bug that the company says is being actively exploited in the wild.
11 of the 98 issues are rated critical and 87 are rated important in terms of severity, with one of the vulnerabilities also listed as publicly known at press time. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.
The attacked vulnerability concerns CVE-2023-21674 (CVSS score: 8.8), a privilege elevation flaw in the Windows advanced local procedure call (SALW) that could be exploited by an attacker to obtain SYSTEM permissions.
“This vulnerability could lead to a browser sandbox leak,” Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.
While the details of the vulnerability are still under wraps, a successful exploit requires an attacker to have already secured an initial infection on the host. It is also likely that the flaw is combined with a bug present in the web browser to get out of the sandbox and gain elevated privileges.
“Once the first step is taken, attackers will seek to move across a network or gain higher levels of access and these types of privilege escalation vulnerabilities are a key part of this attack playbook,” Kev Breen, director of cyber threat research at Immersive Labs said.
That said, the chances of an exploit chain like this being used at scale are limited due to the auto-update feature used to patch browsers, said Satnam Narang, senior research engineer at Tenable. .
It should also be noted that the US Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerability to its Known Exploited VulnerabilitiesKEV) catalog, urging federal agencies to apply the patches by January 31, 2023.
Additionally, CVE-2023-21674 is the fourth such flaw identified in ALPC – an inter-process communication (IPC) feature provided by the Microsoft Windows kernel – after CVE-2022-41045, CVE-2022-41093and CVE-2022-41100 (CVSS scores: 7.8), of which the last three were plugged in November 2022.
Two other elevation of privilege vulnerabilities identified as high priority affect Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764CVSS score: 7.8), which stems from an incomplete fix for CVE-2022-41123, according to Qualys.
“An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file path,” Saeed Abbasi, head of vulnerability and threat research at Qualys, said in a statement.
Microsoft has also addressed a security feature bypass in SharePoint Server (CVE-2023-21743, CVSS score: 5.3) which could allow an unauthenticated attacker to bypass authentication and establish an anonymous connection. The tech giant noted that “customers should also trigger a SharePoint upgrade action included in this update to protect their SharePoint farm.”
The January update additionally fixes a number of privilege escalation flaws, including one in Windows Credential Manager (CVE-2023-21726CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE-2023-21760and CVE-2023-21765).
The US National Security Agency (NSA) has been credited with reporting CVE-2023-21678. A total of 39 of the vulnerabilities that Microsoft fixed in its latest update allow elevation of privilege.
Round the list is CVE-2023-21549 (CVSS score: 8.8), a publicly known elevation of privilege vulnerability in the Windows SMB Witness service, and another instance of security feature bypass affecting BitLocker (CVE-2023-21563CVSS-score: 6.8).
“A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device,” Microsoft said. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.
Finally, Redmond has revised its guidelines with regard to the malicious use of signed drivers (called Bring Your Own Vulnerable Driver) to include a block list updated released as part of Windows Security Updates January 10, 2023.
CISA also added on Tuesday CVE-2022-41080an Exchange Server elevation of privilege flaw, to the KEV catalog following reports that the vulnerability is to be chained next to CVE-2022-41082 to achieve remote code execution on vulnerable systems.
The exploit, named OWASSRF by CrowdStrike, has been exploited by Play ransomware actors to breach target environments. The flaws were fixed by Microsoft in November 2022.
Patch Tuesday updates are also coming to Windows 7, Windows 8.1, and Windows RT reached end of support on January 10, 2023. Microsoft said it will not offer an Extended Security Update (ESU) program for Windows 8.1, instead urging users to upgrade to Windows 11.
“Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations,” the company says. warned.
Software patches from other vendors
In addition to Microsoft, security updates have also been released by other vendors since the beginning of the month to fix several vulnerabilities, including —
0 Comments