Windows and Office admins get a busy start to 2023, with Microsoft releasing 98 security fixes for its platforms -- that's a big haul when compared to most Patch Tuesdays and almost double the number it turned out leading into the holiday season.
January 2023 Patch Tuesday addresses two zero-day flaws but only one of them is known to be actively exploited, which is the critical Windows flaw, tracked as CVE-2023-21674. This flaw allows an attacker with local privileges to elevate to system, the highest level of privileges. It has a CVSSv3 severity score of 8.8 out of 10.
Notably, this flaw affects the Windows Advanced Local Procedure Call (ALPC) and, as Rapid7's Greg Wiseman notes, is reminiscent of an ALPC zero-day in September 2018 that was swiftly employed in malware campaigns.
"Given its low attack complexity, the existence of functional proof-of-concept code, and the potential for sandbox escape, this may be a vulnerability to keep a close eye on," notes Wiseman.
The flaw was found by malware analysts at Avast, Jan Vojtěšek, Milánek, and Przemek Gmerek.
The second flaw affects Windows SMB Witness Service, tracked as CVE-2023-21674, and is also an elevation of privilege vulnerability with a severity score of 8.8. Microsoft considerers exploitation to be "less likely", even though details of it have been publicly disclosed.
Zero Day Initiative's Dustin Childs notes this Patch Tuesday is the largest from Microsoft in a January release for quite some time. Among them are 11 critical flaws and 87 are rated as important.
The critical flaws include five Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution (RCE) Vulnerabilities (tracked as CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556, and CVE-2023-21679). These flaws were reported by third-party researchers.
Microsoft Offensive Research and Security Engineering (MORSE) found a critical elevation of privilege flaw in Microsoft Cryptographic Services, tracked as CVE-2023-21730.
Two more critical flaws (CVE-2023-21548 and CVE-2023-21535) were remote code execution vulnerabilities affecting the Windows Security Socket Tunneling Protocol (SSTP). Both were reported by Yuki Chen of Cyber KunLun, who also reported four of the five L2TP RCE bugs.
Rapid7's Wiseman points out that five flaws this month affected Microsoft Exchange Server. These were all rated as important but could give admins the evidence push for the removal of on-premise Exchange Servers. Earlier this month, security research group Shadowserver reported that there were 70,000 unpatched Exchange Servers exposed on the internet to highlight how many were likely still vulnerable to two Exchange Server zero-day flaws Microsoft patched in November, dubbed ProxyNotShell.
Some patches fail, too: Childs notes that two of the Exchange Server flaws -- CVE-2023-21763 and CVE-2023-21764 -- are the result of Microsoft releasing a failed patch for the Exchange Server flaw, CVE-2022-41123, in November.
"If you're running Exchange on-prem, please test and deploy all the Exchange fixes quickly, and hope that Microsoft fixed these bugs correctly this time," Child notes.
Exchange Server came into focus after Microsoft patched four zero-day flaws, known as ProxyShell, affecting the on-premise email server in early 2021. It was the first time Google Project Zero had seen Exchange Server zero days detected since it began tracking them in 2014.