Microsoft addresses active vulnerability in January Patch Tuesday
Fixes included for nearly 100 flaws and exploits
Microsoft has fixed nearly 100 bugs in its first Patch Tuesday of 2023, including one actively exploited and one publicly disclosed vulnerability.
Eleven of the 98 vulnerabilities addresses are classified as 'Critical,' meaning threat actors could use them to gain remote control of vulnerable Windows machines with little or no user involvement.
The remaining 87 items are classified as Important.
In all, the January security update patches 39 escalation of privilege (EoP) vulnerabilities, 33 RCE bugs, 10 information disclosure bugs, 10 denial of service bugs, four security feature bypass vulnerabilities and two spoofing bugs.
The vulnerability under active exploit in the wild today is known as CVE-2023-21674, an advanced local procedure call (ALPC) elevation of privilege vulnerability with an 8.8 CVSS score.
A local attacker could leverage the flaw to increase their privileges all the way to system level.
"This vulnerability is actively being exploited in the wild, so it should be top of the list for patching," said Kev Breen, Director of Cyber Threat Research at Immersive Labs.
"This CVE is a local privilege escalation vulnerability, meaning that an attacker must already have an initial infection on the host. This kind of exploit is almost always used in network compromises. Once the initial foothold has been made, attackers will look to move across a network or gain additional higher levels of access and these types of privilege escalation vulnerabilities are a key part of that attacker playbook."
Satnam Narang, senior staff research engineer at Tenable, observed that the vulnerability was likely chained together with a flaw in a Chromium-based browser, such Google Chrome or Microsoft Edge, to bypass the browser's sandbox and acquire full system access.
"Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat groups as part of targeted attacks," Narang said.
"The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers."
Another EoP vulnerability, CVE-2023-21549, exists in the Windows SMB Witness Service, is listed as publicly known and has a severity rating of 8.8.
'To exploit this vulnerability, an attacker could execute a specially crafted malicious script which executes an RPC call to an RPC host,' warns the security alert.
An attacker could use this to elevate privileges and execute RPC functions that can only be sent by privileged accounts.
Two vulnerabilities were spotted affecting Microsoft Exchange Server: CVE-2023-21762 and CVE-2023-21745. Microsoft marked one as 'more likely to be exploited.'
While the company hasn't shared any information on the exploit itself, this type of flaw requires an attacker to already have access to a legitimate user account within the target domain.
Microsoft also fixed a security feature bypass issue in SharePoint Server (CVE-2023-21743), which could allow an unauthenticated attacker to avoid authentication and establish an anonymous connection.
To secure their SharePoint farm, the tech giant advised users to 'trigger a SharePoint upgrade action included in this update.'
January's Patch Tuesday also addressed several other privilege escalation issues.
One of them affects Windows Credential Manager (CVE-2023-21726), while the other three affect the Print Spooler component (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).