Microsoft Patch Tuesday: January 2023
On Tuesday, January 10, Microsoft released fixes for nearly 100 vulnerabilities. One of the flaws, a privilege elevation vulnerability in Windows Advanced Local Procedure Call (ALPC), is being actively exploited. The vulnerability could lead to a browser sandbox escape and be exploited to gain system privileges. Eleven of the vulnerabilities are deemed critical; the others are rated important.
As part of patch Tuesday, I wanted to highlight some embargoed research that ties into this update. The Unit42 group from Palo Alto created an interesting kit that produced a wide-ranging number of vulnerabilities, some of which were fixed in this update. If you're interested in finding vulnerabilities in software, I highly recommend you take a look at a talk called “Select Bugs From Binary Where Pattern like CVE-1337-Days”. We may see more easily found, exploited, and patched bugs, which could have short-term consequences and long-term benefits.
I’d like to see Microsoft consistently report on when Windows and Windows app (like Exchange, SharePoint, etc.) vulnerabilities are patched in their cloud-based, app as a service offerings. 2021 data said 2/3 of Exchange customers were using cloud-based Exchange service. If you are in the 1/3 still doing on prem and not able to patch rapidly, buy your CIO a cup of coffee and show her or him the numbers.
Today, Jan 13, is National Blame Somebody Else Day, and while blaming Microsoft may seem appropriate, it's not going to help if it felt like these came late. It was probably the holiday messing with our internal clocks. So, yeah, 93 flaws, 11 critical, 1 actively exploited. Icing on the cake - CVE-2023-21674, the one being exploited, is also a zero-day privilege escalation flaw, so you're likely on the hook for immediate remediation. There is also another printer subsystem update as well as a SharePoint Server bug allowing unauthenticated remote connections. Note the SharePoint fix also needs you to deploy an update to the SharePoint server. If you didn't get the update lined up for your regular patch window, get on it. Yes, this is a three-day weekend in the US, you should be able to blow this update out to your commodity systems, allowing you to focus on more specialized systems. Aside from isolated/air-gapped use cases, ask why you are still running your own SharePoint servers. The time has come to make sure you're leveraging standardized services which are hosted so you can focus on systems needed for your mission objectives.
Read more in
Krebs on Security: Microsoft Patch Tuesday, January 2023 Edition