Gird your loins: Patch Tuesday’s back
It’s that time of the month again: Microsoft has pushed out 98 security patches for January’s Patch Tuesday: 11 are critical, one CVE-2023-21674 is being actively exploited and another gives unauthenticated remote access to your SharePoint Server – and requires not just the patch but a “SharePoint upgrade action” to fix. Deep joy.
CVE-2023-21674 is a browser sandbox escape (Windows Advanced Local Procedure Call “ALPC” Elevation of Privilege vulnerability) that gives an attacker SYSTEM privileges. It was reported by security researchers at Avast. It has an “important” CVSS rating of 8.8. As the Zero Day Initiative notes: “Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware… that scenario seems likely here.”
Microsoft describes it as having a local attack vector, with low attack complexity, low privileges required and no user interaction to be exploited. Given this is being exploited in the wild. expect the patch to be reverse-engineered by the ill-intentioned and for proof-of-concepts and broader attacks to circulate.
For events and more, follow The Stack on LinkedIn
Five critical and remote code execution (RCE) vulnerabilities in Windows Layer 2 Tunneling Protocol (L2TP) also deserve attention: CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556 and CVE-2023-21679. Whilst they would let an unauthenticated attacker gain RCE on a RAS server, they do require the attacker to have won a race condition and Microsoft says it sees exploitation as less likely, owing to attack complexity.
Adobe also has a notable collection of critical RCE bug patches out today. None are listed as under attack. They include updates for Reader, InDesign and InCopy,all of which have critical fixes that would give RCE if a victim opened a malicious file. Intel has also released an important series of fixes for EOP bugs in its oneAPI Toolkit.
As Lewis Pope, "Head Nerd" at software firm N-able also noted: “The first Patch Tuesday of 2023 marks the end of an era, multiple eras actually. Windows 7 Professional and Enterprise will receive their final security updates as part of the Extended Security Update program, Windows 8.1 reaches end of support, and Microsoft 365 applications will no longer be receiving security updates for Windows 7 or Windows 8 versions.
"This now firmly cements the idea of using Windows 7 or 8.1 in production environments as an unacceptable risk in any environment following basic cybersecurity best practices. According to Microsoft, the proper action is to upgrade systems with compatible hardware to Windows 10 or decommissions those systems in favour of modern, supported operating systems. While there are always caveats and special use cases, budgets for 2023 should include appropriate funding to migrate all operations from any unsupported operating system. Also, that funding should be included going forward and considered as part of the cost of doing business.”