Today is Microsoft's January 2023 Patch Tuesday, and with it comes fixes for an actively exploited zero-day vulnerability and a total of 98 flaws.
This is the first Patch Tuesday of 2023, and it fixes a whopping 98 vulnerabilities, with eleven of them classified as 'Critical.'
Microsoft gave the vulnerabilities this severity rating as they allow remote code execution, bypass security features, or elevate privileges.
The number of bugs in each vulnerability category is listed below:
- 39 Elevation of Privilege Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
- 33 Remote Code Execution Vulnerabilities
- 10 Information Disclosure Vulnerabilities
- 10 Denial of Service Vulnerabilities
- 2 Spoofing Vulnerabilities
One zero-day fixed
This month's Patch Tuesday fixes one zero-day vulnerability, one actively exploited and the other publicly disclosed.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The actively exploited zero-day vulnerability fixed in today's updates is:
CVE-2023-21674 - Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability discovered by Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast.
Microsoft states that this is a Sandbox escape vulnerability that can lead to the elevation of privileges.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," explains Microsoft's advisory.
It is unclear how threat actors used this vulnerability in attacks, and BleepingComputer reached out to Avast for comment.
Microsoft also stated that 'CVE-2023-21549 - Windows SMB Witness Service Elevation of Privilege Vulnerability' was publicly disclosed.
However, BleepingComputer was told by Akamai security researcher Stiv Kupchik that they followed the regular disclosure process and the vulnerability should not be classified as publicly disclosed.
Recent updates from other companies
Other vendors who released updates in January 2023 include:
- Adobe released security updates for numerous products.
- Cisco released security updates for Cisco IP Phone 7800 and 8800 phones.
- Citrix released security updates for Cisco Identity Services.
- Fortinet released security updates for various products.
- Intel released a security update for oneAPI Toolkits.
- SAP has released its January 2023 Patch Day updates.
- Synology released a security update for its Synology VPN Plus Server.
The January 2023 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities and released advisories in the January 2023 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report at https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/January-2023.html.
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.