



Microsoft kicked off the new year by solving a Windows zero-day, but closed the door on further fixes to the system with Extended Support Updates.

Microsoft addressed 101 vulnerabilities in January’s Patch Tuesday, adding 98 new bugs and three revisions of previous security updates. In total, the company fixed 11 critical vulnerabilities and rated 90 critical.

Windows zero-day tops priority list

Microsoft has resolved a Windows zero-day (CVE-2023-21674) rated Important by the Windows Advanced Local Procedure Call (ALPC). This privilege escalation bug affects supported Windows operating systems newer than Windows 7. Microsoft’s note on CVE states that the vulnerability could allow an attacker to escape her web browser’s sandbox.

Chris Goettl, Ivanti’s vice president of security product management, said administrators shouldn’t wait to apply patches because affected systems are under active attack.

Chris Gettle

“An attacker can exploit this to gain system-level privileges,” he said. “This is the depth you can get without reaching the kernel level.”

Microsoft Solves Windows Publishing

The disclosed vulnerability is the Windows Server Message Block (SMB) Witness Service Elevation of Privilege Vulnerability (CVE-2023-21549), which is rated Important for most Windows desktop and server systems. This bug has a high rating of 8.8 out of 10 on the Common Vulnerability Scoring System (CVSS), but according to Microsoft’s note, the potential for exploitation is low.

Although the technical barrier to exploiting this vulnerability is low and no user interaction is required, an attacker could run a specially crafted malicious script over the network to compromise a remote procedure call (RPC) host. You need to perform privilege escalation with

“The attackers jumped on this when it became apparent,” said Goettl. “The nature of this being related to his RPC definitely gives an attacker a bit of an advantage if they want to move laterally through the environment.”

5 Exchange Server vulnerabilities fixed

Microsoft resolved five vulnerabilities in Exchange Server on Patch Tuesday in January. Each CVE is rated as important with various CVSS ratings ranging from 7.5 to 8. On-premise email platform bugs include:

CVE-2023-21763, a privilege escalation vulnerability. CVE-2023-21764, a privilege escalation vulnerability. CVE-2023-21761, an information disclosure vulnerability. CVE-2023-21745, a spoofing vulnerability. CVE-2023-21762, a spoofing vulnerability.

After cloud computing company Rackspace revealed it was the victim of a ransomware attack stemming from a vulnerability in Exchange, the importance of quickly patching Exchange Server deployments was re-emphasized. rice field. The company applied his ProxyNotShell bug mitigation but did not apply his November security update for Exchange due to performance issues with the hosted Exchange service.

“In this case, the mitigation did not fail. The attackers discovered a whole new way to exploit the vulnerability,” Goettl said. “Had it been patched, the threat actor would not have been able to carry out that attack.

Microsoft addresses critical SharePoint Server vulnerabilities

The SharePoint Server Security Feature Bypass Vulnerability (CVE-2023-21743) rated Important despite the low CVSS rating has been designated as “Highly Exploitable” and should be addressed immediately need to do it.

An attacker does not require privileges to exploit this vulnerability in a network-based attack. This opens the way for anonymous connections to SharePoint Server.

“If they find a way to compromise on this, this can get particularly nasty,” Goettl said.

According to Microsoft, in addition to deploying patches, administrators must perform SharePoint upgrade actions on each server to secure the SharePoint farm. An administrator can trigger this last step by running a PowerShell command, her PSConfig utility command, or by running the SharePoint Products Configuration Wizard.

Microsoft has issued two SharePoint Server patches rated Important to resolve remote code execution vulnerabilities (CVE-2023-21742 and CVE-2023-21744).

Microsoft update advisory related to driver signing

On Patch Tuesday in January, Microsoft updated the Security Advisory (ADV220005) originally published in December. This is related to the exploitation of Microsoft signed drivers. The issue stems from a hacker using a compromised certificate to sign a malicious driver to make it look like the real thing.

The company has updated the block list that customers automatically get after rolling out this month’s security updates. This replaces the previous mitigation.

End of support for multiple Windows operating systems

Windows 7, Windows Server 2008, and Windows 2008 R2 got their final security updates this month as part of the Extended Support Update (ESU) program. Customers with Server 2008 systems should migrate to a supported Windows Server OS or move their workloads to the Azure cloud platform for an additional year of extended support.

Patch Tuesday in January also marks the end of service for Windows 8.1. Microsoft does not provide his ESU program for that system.

Administrators should be aware that the end of support date for Windows Server 2012 and 2012 R2 arrives on October 10th. After that point, organizations can either upgrade to the next supported server OS or pay for the ESU program and continue receiving patches until the next deadline. October 2026, if enrolled for all three years.

