In the first patch Tuesday of 2023, Microsoft addresses a total of 98 security flaws, including one zero-day which is being actively exploited in the wild. The zero-day, also known as CVE-2023-21674, has been given the CVSS score of 8.8, and was seen to be used in the public domain. The vulnerability allows an adversary to escalate their privileges to SYSTEM permissions on a wide variety of Windows and Windows Server installations by exploiting a flaw in Windows Advanced Local Procedure Call (ALPC). It should be noted that an ALPC zero-day back in 2018 swiftly found its way into a malware campaign.
Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware. Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here, noted Trend Micro‘s Dustin Childs. Patching this vulnerability should be a priority due to low attack complexity, and the existence of functional proof-of-concept code.
Another vulnerability that affects Windows SMB, also known as CVE-2023-21549, was patched by Microsoft during patch Tuesday, along with a batch of seven Critical Remote Code Execution (RCE) vulnerabilities. Microsoft have also addressed several CVEs affecting Microsoft Exchange Server, including spoofing vulnerabilities, elevation of privileges and an information disclosure flaw.
Microsoft also announced two Office Remote Code Execution vulnerabilities. Both CVE-2023-21734 and CVE-2023-21735 sound broadly familiar: a user needs to be tricked into running malicious files. Unfortunately, the security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available, so administrators with affected assets will need to check back later and rely on other defences for now.
On top of the addressed vulnerabilities, Windows 8.1 support has officially ended on January 10, 2023. This means that Windows 8.1 will no longer receive software updates. Microsoft will not be offering an Extended Security Update program for Windows 8.1, so continuing to use Windows 8.1 after January 10, 2023, may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations.